fix(deps): update forgejo docker tag to v7.0.7 (maint/v7) (#722 )

Reviewed-on: https://code.forgejo.org/forgejo-helm/forgejo-helm/pulls/722 Co-authored-by: Renovate Bot <bot@kriese.eu> Co-committed-by: Renovate Bot <bot@kriese.eu>
ci(forgejo): update experimental docker digests (maint/v7) (#720 )
2024-08-09 14:43:12 +00:00 · 2024-08-09 02:17:15 +00:00 · 2024-08-09 01:12:38 +00:00 · 2024-08-08 01:11:51 +00:00 · 2024-08-07 02:44:00 +00:00 · 2024-08-07 02:08:46 +00:00
52 changed files with 646 additions and 1590 deletions
--- a/.forgejo/actions/setup-k3s/action.yml
+++ b/.forgejo/actions/setup-k3s/action.yml
@ -1,25 +0,0 @@
 # action.yml
 name: setup-k3s
 description: 'setup k3s'
 inputs:
  version:
    description: 'k3s version'
    required: true
 runs:
  using: 'composite'
  steps:
    - shell: bash
      name: install k3s
      run: |
        curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=${INPUT_VERSION} K3S_KUBECONFIG_MODE=640 sh -s - server
        echo "KUBECONFIG=/etc/rancher/k3s/k3s.yaml" >> $GITHUB_ENV
    - shell: bash
      name: check k3s
      run: kubectl cluster-info
    - shell: bash
      name: wait for nodes ready
      run: |
        sleep 3
        kubectl wait --for=condition=Ready nodes --all --timeout=600s
--- a/.forgejo/actions/setup-node/action.yml
+++ b/.forgejo/actions/setup-node/action.yml
@ -5,15 +5,11 @@ description: 'setup node'
 runs:
  using: 'composite'
  steps:
-    - name: Setup pnpm
+    - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
      uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
      with:
        standalone: true
    - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
      with:
        node-version-file: .node-version
-        cache: 'pnpm'
+        # cache: 'npm'
-
+    - shell: bash
      run: corepack enable
    - shell: bash
      run: pnpm install --frozen-lockfile
--- a/.forgejo/renovate/k3s.json
+++ b/.forgejo/renovate/k3s.json
@ -1,57 +0,0 @@
 {
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "packageRules": [
    {
      "description": "Separate minor and patch updates for k3s",
      "matchDatasources": ["github-releases"],
      "matchPackageNames": ["k3s-io/k3s"],
      "separateMultipleMinor": true,
      "separateMinorPatch": true,
      "branchTopic": "{{{depNameSanitized}}}{{#if isMinor}}-minor{{/if}}-{{{newMajor}}}{{#if isPatch}}.{{{newMinor}}}{{/if}}.x{{#if isLockfileUpdate}}-lockfile{{/if}}",
      "commitMessageSuffix": "{{#if isMinor}}(minor){{/if}}{{#if isPatch}}(patch){{/if}}"
    },
    {
      "description": "No automerge for k3s major and minor updates",
      "matchDatasources": ["github-releases"],
      "matchPackageNames": ["k3s-io/k3s"],
      "matchUpdateTypes": ["major", "minor"],
      "automerge": false
    },
    {
      "description": "Group k3s patch updates",
      "matchDatasources": ["github-releases"],
      "matchPackageNames": ["k3s-io/k3s"],
      "matchUpdateTypes": ["patch"],
      "groupName": "k3s"
    },
    {
      "description": "Disable k3s major and minor updates for old versions",
      "matchDatasources": ["github-releases"],
      "matchFileNames": [".forgejo/workflows/**"],
      "matchPackageNames": ["k3s-io/k3s"],
      "matchUpdateTypes": ["major", "minor"],
      "matchCurrentValue": "!/^v1.32/",
      "enabled": false
    }
  ],
  "customDatasources": {
    "k3s": {
      "defaultRegistryUrlTemplate": "https://update.k3s.io/v1-release/channels",
      "transformTemplates": [
        "($isVersion:=function($name){$contains($name,/^v\\d+.\\d+$/)};{\"releases\":[data[$isVersion(name)].{\"version\":latest}],\"sourceUrl\":\"https://github.com/k3s-io/k3s\",\"homepage\":\"https://k3s.io/\"})"
      ]
    }
  },
  "customManagers": [
    {
      "customType": "regex",
      "fileMatch": [".forgejo/renovate/k3s.json"],
      "matchStrings": [
        "matchCurrentValue\": \"!\\/^v(?<currentValue>\\d+\\.\\d+)\\/"
      ],
      "depNameTemplate": "k3s",
      "versioningTemplate": "npm",
      "datasourceTemplate": "custom.k3s"
    }
  ]
 }
--- a/.forgejo/workflows/build.yml
+++ b/.forgejo/workflows/build.yml
@ -8,17 +8,16 @@ on:
      - maint/**
    tags:
      - v*
  workflow_dispatch:
 permissions:
  contents: read
 env:
-  HELM_VERSION: v3.17.2 # renovate: datasource=github-releases depName=helm packageName=helm/helm
+  HELM_VERSION: v3.15.3 # renovate: datasource=github-releases depName=helm packageName=helm/helm
-  HELM_UNITTEST_VERSION: v0.7.2 # renovate: datasource=github-releases depName=helm-unittest packageName=helm-unittest/helm-unittest
+  HELM_UNITTEST_VERSION: v0.5.2 # renovate: datasource=github-releases depName=helm-unittest packageName=helm-unittest/helm-unittest
-  HELM_CHART_TESTING_VERSION: v3.12.0 # renovate: datasource=github-releases depName=chart-testing packageName=helm/chart-testing
+  HELM_CHART_TESTING_VERSION: v3.11.0 # renovate: datasource=github-releases depName=chart-testing packageName=helm/chart-testing
-  KUBECTL_VERSION: v1.32.3 # renovate: datasource=github-releases depName=kubectl packageName=kubernetes/kubernetes
+  KIND_VERSION: v0.23.0 # renovate: datasource=github-releases depName=kind packageName=kubernetes-sigs/kind
-  CT_GITHUB_GROUPS: true
+  KUBECTL_VERSION: v1.30.3 # renovate: datasource=github-releases depName=kubectl packageName=kubernetes/kubernetes
 jobs:
  lint-node:
@ -26,11 +25,9 @@ jobs:
    steps:
      - run: cat /etc/os-release
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          show-progress: false
          fetch-depth: 0 # Important for changelog
          filter: blob:none # We don't need all blobs
      - uses: ./.forgejo/actions/setup
      - uses: ./.forgejo/actions/setup-node
@ -40,10 +37,6 @@ jobs:
      - run: make readme
      - run: git diff --exit-code --name-only README.md
      - name: changelog
        run: |
          pnpm changelog ${{ github.ref_type == 'tag' && 'true' || '' }}
  lint-helm:
    runs-on: docker
    steps:
@ -51,7 +44,7 @@ jobs:
      - run: ps axf
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          show-progress: false
          fetch-depth: 0
@ -60,12 +53,12 @@ jobs:
      - uses: ./.forgejo/actions/setup
      - name: install chart-testing
-        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
+        uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
        with:
          version: ${{ env.HELM_CHART_TESTING_VERSION }}
      - name: install helm
-        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
        with:
          version: ${{ env.HELM_VERSION }}
@ -81,27 +74,21 @@ jobs:
      - run: ct lint --config tools/ct.yml --charts .
  e2e:
    needs:
      - lint-node
      - lint-helm
    runs-on: k8s
    strategy:
      matrix:
-        k3s:
+        k8s:
-          # https://github.com/k3s-io/k3s/branches
+          # from https://hub.docker.com/r/kindest/node/tags
-          # oldest supported version
+          - v1.27.13 # renovate: kindest
-          - v1.28.15+k3s1 # renovate: k3s
+          - v1.28.9 # renovate: kindest
-          # https://github.com/k3s-io/k3s/blob/master/channel.yaml#L3-L4
+          - v1.29.4 # renovate: kindest
-          # stable version
+          - v1.30.2 # renovate: kindest
          - v1.31.6+k3s1 # renovate: k3s
          # newest version
          - v1.32.2+k3s1 # renovate: k3s
    steps:
      - run: cat /etc/os-release
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          show-progress: false
          fetch-depth: 0
@ -110,28 +97,34 @@ jobs:
      - uses: ./.forgejo/actions/setup
      - name: install helm
-        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
+        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
        with:
          version: ${{ env.HELM_VERSION }}
      - name: Install chart-testing
-        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
+        # TODO: pin to version when this is released: https://github.com/helm/chart-testing-action/pull/137
        uses: helm/chart-testing-action@5aa1c68405a43a57240a9b2869379324b2bec0fc # main
        with:
          version: ${{ env.HELM_CHART_TESTING_VERSION }}
-      - uses: ./.forgejo/actions/setup-k3s
+      - uses: ./.forgejo/actions/setup-docker
      - name: Create kind cluster
        uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
        with:
-          version: ${{ matrix.k3s }}
+          node_image: kindest/node:${{ matrix.k8s }}
          kubectl_version: ${{ env.KUBECTL_VERSION }}
          version: ${{ env.KIND_VERSION }}
      - run: kubectl get no -o wide
      - name: install chart
-        uses: https://github.com/nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
+        uses: https://github.com/nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
        with:
          timeout_minutes: 15
          max_attempts: 3
          retry_on: error
-          retry_wait_seconds: 120
+          retry_wait_seconds: 60
          polling_interval_seconds: 5
          command: ct install --config tools/ct.yml --charts .
@ -169,7 +162,7 @@ jobs:
    if: ${{ github.ref_type == 'tag' }}
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
        with:
          show-progress: false
          fetch-depth: 0 # Important for changelog
@ -179,7 +172,7 @@ jobs:
      - uses: ./.forgejo/actions/setup-node
      - name: install helm
-        uses: https://github.com/azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
+        uses: https://github.com/azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
        with:
          version: ${{ env.HELM_VERSION }}
--- a/.forgejo/workflows/mirror.yml
+++ b/.forgejo/workflows/mirror.yml
@ -6,8 +6,6 @@ on:
    branches:
      - 'main'
  workflow_dispatch:
 jobs:
  mirror:
    runs-on: docker
--- a/.node-version
+++ b/.node-version
@ -1 +1 @@
-22.14.0
+20.16.0
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -4,7 +4,7 @@
      ".github/workflows/*",
      ".forgejo/workflows/*"
    ],
-    "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.7.2/schema/helm-testsuite.json": [
+    "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.5.2/schema/helm-testsuite.json": [
      "/unittests/**/*.yaml"
    ]
  },
--- a/Chart.lock
+++ b/Chart.lock
@ -1,18 +1,12 @@
 dependencies:
 - name: common
  repository: oci://ghcr.io/visualon/bitnamicharts
  version: 2.30.0
 - name: postgresql
-  repository: oci://ghcr.io/visualon/bitnamicharts
+  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 16.5.6
+  version: 15.5.20
 - name: postgresql-ha
-  repository: oci://ghcr.io/visualon/bitnamicharts
+  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 15.3.8
+  version: 14.2.16
 - name: redis-cluster
-  repository: oci://ghcr.io/visualon/bitnamicharts
+  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 11.4.6
+  version: 10.3.0
- name: redis
+digest: sha256:2e14d6c1f86f4b9a0b0e9e29fe24404eba29cd6ca2ebb712eeb1946bf80536ff
-  repository: oci://ghcr.io/visualon/bitnamicharts
+generated: "2024-08-02T00:03:11.343498124Z"
  version: 20.11.4
 digest: sha256:a9c9f0779663336dd22ca4896f22bb64427e28f20aa567aee2f18474f8e31a23
 generated: "2025-03-26T15:31:33.532188569Z"
--- a/Chart.yaml
+++ b/Chart.yaml
@ -3,7 +3,7 @@ name: forgejo
 description: Forgejo Helm chart for Kubernetes
 type: application
 version: 0.0.0
-appVersion: 10.0.3
+appVersion: 7.0.7
 icon: https://code.forgejo.org/forgejo/forgejo/raw/branch/forgejo/assets/logo.svg
 home: https://forgejo.org/
@ -22,35 +22,22 @@ maintainers:
  - name: Michael Kriese
    email: michael.kriese@visualon.de
-# Bitnami charts are served from ghcr mirror because of rate limiting on Docker Hub
+# Bitnami charts are served from Docker Hub
 # https://hub.docker.com/u/bitnamicharts
 # https://blog.bitnami.com/2023/01/bitnami-helm-charts-available-as-oci.html
 # https://github.com/bitnami/charts/issues/30853
 # https://code.forgejo.org/forgejo-helm/forgejo-helm/issues/1045
 dependencies:
  # https://github.com/bitnami/charts/blob/main/bitnami/common/Chart.yaml
  - name: common
    repository: oci://ghcr.io/visualon/bitnamicharts
    tags:
      - bitnami-common
    version: 2.30.0
  # https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml
  - name: postgresql
-    repository: oci://ghcr.io/visualon/bitnamicharts
+    repository: oci://registry-1.docker.io/bitnamicharts
-    version: 16.5.6
+    version: 15.5.20
    condition: postgresql.enabled
  # https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml
  - name: postgresql-ha
-    repository: oci://ghcr.io/visualon/bitnamicharts
+    repository: oci://registry-1.docker.io/bitnamicharts
-    version: 15.3.8
+    version: 14.2.16
    condition: postgresql-ha.enabled
  # https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml
  - name: redis-cluster
-    repository: oci://ghcr.io/visualon/bitnamicharts
+    repository: oci://registry-1.docker.io/bitnamicharts
-    version: 11.4.6
+    version: 10.3.0
    condition: redis-cluster.enabled
  # https://github.com/bitnami/charts/blob/main/bitnami/redis/Chart.yaml
  - name: redis
    repository: oci://ghcr.io/visualon/bitnamicharts
    version: 20.11.4
    condition: redis.enabled
--- a/1
+++ b/1
@ -1,6 +1,5 @@
 MIT License
 Copyright (c) 2023 The Forgejo Authors
 Copyright (c) 2020 The Gitea Authors
 Copyright (c) 2020 NOVUM-RGI
 Copyright (c) 2019 - 2020 Charlie Drage
--- a/2
+++ b/2
@ -9,7 +9,7 @@ readme: prepare-environment
 .PHONY: unittests
 unittests:
-	helm unittest --strict -f 'unittests/**/*.yaml' ./
+	helm unittest --strict -f 'unittests/**/*.yaml' -f 'unittests/dependency-major-image-check.yaml' ./
 .PHONY: helm
 update-helm-dependencies:
--- a/README.md
+++ b/README.md
@ -20,6 +20,7 @@
    - [User defined environment variables in app.ini](#user-defined-environment-variables-in-appini)
  - [External Database](#external-database)
  - [Ports and external url](#ports-and-external-url)
  - [ClusterIP](#clusterip)
  - [SSH and Ingress](#ssh-and-ingress)
  - [SSH on crio based kubernetes cluster](#ssh-on-crio-based-kubernetes-cluster)
  - [Cache](#cache)
@ -45,23 +46,15 @@
  - [Init](#init)
  - [Signing](#signing)
  - [Gitea](#gitea)
  - [`app.ini` overrides](#appini-overrides)
  - [LivenessProbe](#livenessprobe)
  - [ReadinessProbe](#readinessprobe)
  - [StartupProbe](#startupprobe)
-  - [Redis&reg; Cluster](#redis-cluster)
+  - [redis-cluster](#redis-cluster)
  - [Redis&reg;](#redis)
  - [PostgreSQL HA](#postgresql-ha)
  - [PostgreSQL](#postgresql)
  - [Advanced](#advanced)
 - [Contributing](#contributing)
 - [Upgrading](#upgrading)
  - [To v11](#to-v11)
  - [To v10](#to-v10)
  - [To v9](#to-v9)
  - [To v8](#to-v8)
  - [To v7](#to-v7)
  - [To v6](#to-v6)
 [Forgejo](https://forgejo.org/) is a community managed lightweight code hosting solution written in Go.
 It is published under the MIT license.
@ -101,8 +94,7 @@ These dependencies are enabled by default:
 Alternatively, the following non-HA replacements are available:
- PostgreSQL ([Bitnami PostgreSQL](https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml))
+- PostgreSQL ([Bitnami PostgreSQL](<postgresql](https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml)>))
 - Redis ([Bitnami Redis](https://github.com/bitnami/charts/blob/main/bitnami/redis/Chart.yaml))
 ### Dependency Versioning
@ -121,7 +113,6 @@ Please double-check the image repository and available tags in the sub-chart:
 - [PostgreSQL-HA](https://hub.docker.com/r/bitnami/postgresql-repmgr/tags)
 - [PostgreSQL](https://hub.docker.com/r/bitnami/postgresql/tags)
 - [Redis Cluster](https://hub.docker.com/r/bitnami/redis-cluster/tags)
 - [Redis](https://hub.docker.com/r/bitnami/redis/tags)
 and look up the image tag which fits your needs on Dockerhub.
@ -176,14 +167,14 @@ gitea:
 This chart will set a few defaults in the Forgejo configuration based on the service and ingress settings.
 All defaults can be overwritten in `gitea.config`.
-INSTALL_LOCK is always set to true because the configuration in this helm chart makes any configuration via installer superfluous.
+INSTALL_LOCK is always set to true, since we want to configure Forgejo with this helm chart and everything is taken care of.
 _All default settings are made directly in the generated `app.ini`, not in the Values._
 #### Database defaults
-If a database subchart is enabled, the database configuration is set automatically.
+If a builtIn database is enabled the database configuration is set automatically.
-For example, PostgreSQL will appear in the `app.ini` as:
+For example, PostgreSQL builtIn will appear in the `app.ini` as:
 ```ini
 [database]
@ -256,7 +247,7 @@ External tools such as `redis-cluster` or `memcached` handle these workloads muc
 If HA is not needed/desired, the following configurations can be used to deploy a single-pod Forgejo instance.
-1. For a production-ready single-pod Forgejo instance without external dependencies (using the chart dependency `postgresql` and `redis`):
+1. For a production-ready single-pod Forgejo instance without external dependencies (using the chart dependency `postgresql`):
   <details>
@ -265,8 +256,6 @@ If HA is not needed/desired, the following configurations can be used to deploy
   ```yaml
   redis-cluster:
     enabled: false
   redis:
     enabled: true
   postgresql:
     enabled: true
   postgresql-ha:
@ -279,6 +268,12 @@ If HA is not needed/desired, the following configurations can be used to deploy
     config:
       database:
         DB_TYPE: postgres
       session:
         PROVIDER: db
       cache:
         ADAPTER: memory
       queue:
         TYPE: level
       indexer:
         ISSUE_INDEXER_TYPE: bleve
         REPO_INDEXER_ENABLED: true
@ -298,8 +293,6 @@ If HA is not needed/desired, the following configurations can be used to deploy
   ```yaml
   redis-cluster:
     enabled: false
   redis:
     enabled: false
   postgresql:
     enabled: false
   postgresql-ha:
@ -449,6 +442,23 @@ This helm chart automatically configures the clone urls to use the correct ports
 You can change these ports by hand using the `gitea.config` dict.
 However you should know what you're doing.
 ### ClusterIP
 By default the `clusterIP` will be set to `None`, which is the default for headless services.
 However if you want to omit the clusterIP field in the service, use the following values:
 ```yaml
 service:
  http:
    type: ClusterIP
    port: 3000
    clusterIP:
  ssh:
    type: ClusterIP
    port: 22
    clusterIP:
 ```
 ### SSH and Ingress
 If you're using ingress and want to use SSH, keep in mind, that ingress is not able to forward SSH Ports.
@ -458,7 +468,7 @@ You will need a LoadBalancer like `metallb` and a setting in your ssh service an
 service:
  ssh:
    annotations:
-      metallb.io/allow-shared-ip: test
+      metallb.universe.tf/allow-shared-ip: test
 ```
 ### SSH on crio based kubernetes cluster
@ -531,6 +541,8 @@ postgresql:
 This chart enables you to create a default admin user.
 It is also possible to update the password for this user by upgrading or redeploying the chart.
 It is not possible to delete an admin user after it has been created.
 This has to be done in the ui.
 You cannot use `admin` as username.
 ```yaml
@ -560,22 +572,6 @@ gitea:
    existingSecret: gitea-admin-secret
 ```
 To delete the admin user, set `username` or `password` to an empty value and delete the user in the UI.
 Whether you use the existing Secret or specify a username and password directly, there are three modes for how the admin user password is created or set.
 - `keepUpdated` (the default) will set the admin user password, and reset it to the defined value every time the pod is recreated.
 - `initialOnlyNoReset` will set the admin user password when creating it, but never try to update the password.
 - `initialOnlyRequireReset` will set the admin user password when creating it, never update it, and require that the password be changed at the initial login.
 These modes can be set like the following:
 ```yaml
 gitea:
  admin:
    passwordMode: initialOnlyRequireReset
 ```
 ### LDAP Settings
 Like the admin user the LDAP settings can be updated.
@ -633,7 +629,7 @@ Affected options:
 Like the admin user, OAuth2 settings can be updated and disabled but not deleted.
 Deleting OAuth2 settings has to be done in the UI.
-[All OAuth2 values](https://forgejo.org/docs/latest/admin/command-line/#admin-auth-add-oauth) are available.
+All OAuth2 values, which are documented [here](https://forgejo.org/docs/latest/admin/command-line/#admin), are available.
 Multiple OAuth2 sources can be configured with additional OAuth list items.
@ -672,29 +668,14 @@ gitea:
      existingSecret: gitea-oauth-secret
 ```
 ### Compatibility with OCP (OKD or OpenShift)
 Normally OCP is automatically detected and the compatibility mode set accordingly. To enforce the OCP compatibility mode use the following configuration:
 ```yaml
 global:
  compatibility:
    openshift:
      adaptSecurityContext: force
 ```
 An OCP route to access Forgejo can be enabled with the following config:
 ```yaml
 route:
  enabled: true
 ```
 ## Configure commit signing
-When using the rootless image, the GPG key folder is not persistent by default.
+When using the rootless image the gpg key folder is not persistent by default.
-If you want commits by Forgejo (e.g. initial commit) to be signed,
+If you consider using signed commits for internal Forgejo activities (e.g. initial commit), you'd need to provide a signing key.
-you need to provide a signing key:
+Prior to [PR186](https://gitea.com/gitea/helm-chart/pulls/186), imported keys had to be re-imported once the container got replaced by another.
 The mentioned PR introduced a new configuration object `signing` allowing you to configure prerequisites for commit signing.
 By default this section is disabled to maintain backwards compatibility.
 ```yaml
 signing:
@ -702,10 +683,8 @@ signing:
  gpgHome: /data/git/.gnupg
 ```
-By default this section is disabled to maintain backwards compatibility.
+Regardless of the used container image the `signing` object allows to specify a private gpg key.
-
+Either using the `signing.privateKey` to define the key inline, or refer to an existing secret containing the key data by using `signing.existingSecret`.
 Regardless of the used container image the `signing` object allows to specify a private GPG key.
 Either using the `signing.privateKey` to define the key inline, or referring to an existing secret containing the key data with `signing.existingSecret`.
 ```yaml
 apiVersion: v1
@ -725,7 +704,7 @@ signing:
  existingSecret: custom-gitea-gpg-key
 ```
-To use the GPG key, Forgejo needs to be configured accordingly.
+To use the gpg key, Forgejo needs to be configured accordingly.
 A detailed description can be found in the [documentation](https://forgejo.org/docs/latest/admin/signing/#general-configuration).
 ## Metrics and profiling
@ -864,7 +843,6 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus
 | `global.imagePullSecrets` | global image pull secrets override; can be extended by `imagePullSecrets` | `[]`  |
 | `global.storageClass`     | global storage class override                                             | `""`  |
 | `global.hostAliases`      | global hostAliases which will be added to the pod's hosts files           | `[]`  |
 | `namespaceOverride`       | String to fully override common.names.namespace                           | `""`  |
 | `replicaCount`            | number of replicas for the deployment                                     | `1`   |
 ### strategy
@ -904,7 +882,7 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus
 | --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
 | `service.http.type`                     | Kubernetes service type for web traffic                                                                                                                                                              | `ClusterIP` |
 | `service.http.port`                     | Port number for web traffic                                                                                                                                                                          | `3000`      |
-| `service.http.clusterIP`                | ClusterIP setting for http autosetup for deployment                                                                                                                                                  | `nil`       |
+| `service.http.clusterIP`                | ClusterIP setting for http autosetup for deployment is None                                                                                                                                          | `None`      |
 | `service.http.loadBalancerIP`           | LoadBalancer IP setting                                                                                                                                                                              | `nil`       |
 | `service.http.nodePort`                 | NodePort for http service                                                                                                                                                                            | `nil`       |
 | `service.http.externalTrafficPolicy`    | If `service.http.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation                                                                                         | `nil`       |
@ -914,10 +892,9 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus
 | `service.http.loadBalancerSourceRanges` | Source range filter for http loadbalancer                                                                                                                                                            | `[]`        |
 | `service.http.annotations`              | HTTP service annotations                                                                                                                                                                             | `{}`        |
 | `service.http.labels`                   | HTTP service additional labels                                                                                                                                                                       | `{}`        |
 | `service.http.loadBalancerClass`        | Loadbalancer class                                                                                                                                                                                   | `nil`       |
 | `service.ssh.type`                      | Kubernetes service type for ssh traffic                                                                                                                                                              | `ClusterIP` |
 | `service.ssh.port`                      | Port number for ssh traffic                                                                                                                                                                          | `22`        |
-| `service.ssh.clusterIP`                 | ClusterIP setting for ssh autosetup for deployment                                                                                                                                                   | `nil`       |
+| `service.ssh.clusterIP`                 | ClusterIP setting for ssh autosetup for deployment is None                                                                                                                                           | `None`      |
 | `service.ssh.loadBalancerIP`            | LoadBalancer IP setting                                                                                                                                                                              | `nil`       |
 | `service.ssh.nodePort`                  | NodePort for ssh service                                                                                                                                                                             | `nil`       |
 | `service.ssh.externalTrafficPolicy`     | If `service.ssh.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation                                                                                          | `nil`       |
@ -928,35 +905,19 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus
 | `service.ssh.loadBalancerSourceRanges`  | Source range filter for ssh loadbalancer                                                                                                                                                             | `[]`        |
 | `service.ssh.annotations`               | SSH service annotations                                                                                                                                                                              | `{}`        |
 | `service.ssh.labels`                    | SSH service additional labels                                                                                                                                                                        | `{}`        |
 | `service.ssh.loadBalancerClass`         | Loadbalancer class                                                                                                                                                                                   | `nil`       |
 ### Ingress
-| Name                                 | Description          | Value             |
+| Name                                 | Description                                                                 | Value             |
-| ------------------------------------ | -------------------- | ----------------- |
+| ------------------------------------ | --------------------------------------------------------------------------- | ----------------- |
-| `ingress.enabled`                    | Enable ingress       | `false`           |
+| `ingress.enabled`                    | Enable ingress                                                              | `false`           |
-| `ingress.className`                  | Ingress class name   | `nil`             |
+| `ingress.className`                  | Ingress class name                                                          | `nil`             |
-| `ingress.annotations`                | Ingress annotations  | `{}`              |
+| `ingress.annotations`                | Ingress annotations                                                         | `{}`              |
-| `ingress.hosts[0].host`              | Default Ingress host | `git.example.com` |
+| `ingress.hosts[0].host`              | Default Ingress host                                                        | `git.example.com` |
-| `ingress.hosts[0].paths[0].path`     | Default Ingress path | `/`               |
+| `ingress.hosts[0].paths[0].path`     | Default Ingress path                                                        | `/`               |
-| `ingress.hosts[0].paths[0].pathType` | Ingress path type    | `Prefix`          |
+| `ingress.hosts[0].paths[0].pathType` | Ingress path type                                                           | `Prefix`          |
-| `ingress.tls`                        | Ingress tls settings | `[]`              |
+| `ingress.tls`                        | Ingress tls settings                                                        | `[]`              |
-
+| `ingress.apiVersion`                 | Specify APIVersion of ingress object. Mostly would only be used for argocd. |                   |
 ### Route
 | Name                                      | Description                                                                                                                                                                                       | Value      |
 | ----------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
 | `route.enabled`                           | Enable route                                                                                                                                                                                      | `false`    |
 | `route.annotations`                       | Route annotations                                                                                                                                                                                 | `{}`       |
 | `route.host`                              | Host to use for the route (will be assigned automatically by OKD / OpenShift is not defined)                                                                                                      | `nil`      |
 | `route.wildcardPolicy`                    | Wildcard policy if any for the route, currently only 'Subdomain' or 'None' is allowed.                                                                                                            | `nil`      |
 | `route.tls.termination`                   | termination type (see [OKD documentation](https://docs.okd.io/latest/rest_api/network_apis/route-route-openshift-io-v1.html#spec-tls))                                                            | `edge`     |
 | `route.tls.insecureEdgeTerminationPolicy` | the desired behavior for insecure connections to a route (e.g. with http)                                                                                                                         | `Redirect` |
 | `route.tls.existingSecret`                | the name of a predefined secret of type kubernetes.io/tls with both key (tls.crt and tls.key) set accordingly (if defined attributes 'certificate', 'caCertificate' and 'privateKey' are ignored) | `nil`      |
 | `route.tls.certificate`                   | PEM encoded single certificate                                                                                                                                                                    | `nil`      |
 | `route.tls.privateKey`                    | PEM encoded private key                                                                                                                                                                           | `nil`      |
 | `route.tls.caCertificate`                 | PEM encoded CA certificate or chain that issued the certificate                                                                                                                                   | `nil`      |
 | `route.tls.destinationCACertificate`      | PEM encoded CA certificate used to verify the authenticity of final end point when 'termination' is set to 'passthrough' (ignored otherwise)                                                      | `nil`      |
 ### deployment
@ -1021,27 +982,25 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus
 | ------------------------ | ----------------------------------------------------------------- | ------------------ |
 | `signing.enabled`        | Enable commit/action signing                                      | `false`            |
 | `signing.gpgHome`        | GPG home directory                                                | `/data/git/.gnupg` |
-| `signing.privateKey`     | Inline private GPG key for signed internal Git activity           | `""`               |
+| `signing.privateKey`     | Inline private gpg key for signed internal Git activity           | `""`               |
 | `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""`               |
 ### Gitea
-| Name                                     | Description                                                                                                                   | Value                |
+| Name                                   | Description                                                                 | Value                |
-| ---------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | -------------------- |
+| -------------------------------------- | --------------------------------------------------------------------------- | -------------------- |
-| `gitea.admin.username`                   | Username for the Forgejo admin user                                                                                           | `gitea_admin`        |
+| `gitea.admin.username`                 | Username for the Forgejo admin user                                         | `gitea_admin`        |
-| `gitea.admin.existingSecret`             | Use an existing secret to store admin user credentials                                                                        | `nil`                |
+| `gitea.admin.existingSecret`           | Use an existing secret to store admin user credentials                      | `nil`                |
-| `gitea.admin.password`                   | Password for the Forgejo admin user                                                                                           | `r8sA8CPHD9!bt6d`    |
+| `gitea.admin.password`                 | Password for the Forgejo admin user                                         | `r8sA8CPHD9!bt6d`    |
-| `gitea.admin.email`                      | Email for the Forgejo admin user                                                                                              | `gitea@local.domain` |
+| `gitea.admin.email`                    | Email for the Forgejo admin user                                            | `gitea@local.domain` |
-| `gitea.admin.passwordMode`               | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated | `keepUpdated`        |
+| `gitea.metrics.enabled`                | Enable Forgejo metrics                                                      | `false`              |
-| `gitea.metrics.enabled`                  | Enable Forgejo metrics                                                                                                        | `false`              |
+| `gitea.metrics.serviceMonitor.enabled` | Enable Forgejo metrics service monitor                                      | `false`              |
-| `gitea.metrics.serviceMonitor.enabled`   | Enable Forgejo metrics service monitor                                                                                        | `false`              |
+| `gitea.ldap`                           | LDAP configuration                                                          | `[]`                 |
-| `gitea.metrics.serviceMonitor.namespace` | Namespace in which Prometheus is running                                                                                      | `""`                 |
+| `gitea.oauth`                          | OAuth configuration                                                         | `[]`                 |
-| `gitea.ldap`                             | LDAP configuration                                                                                                            | `[]`                 |
+| `gitea.additionalConfigSources`        | Additional configuration from secret or configmap                           | `[]`                 |
-| `gitea.oauth`                            | OAuth configuration                                                                                                           | `[]`                 |
+| `gitea.additionalConfigFromEnvs`       | Additional configuration sources from environment variables                 | `[]`                 |
-| `gitea.additionalConfigSources`          | Additional configuration from secret or configmap                                                                             | `[]`                 |
+| `gitea.podAnnotations`                 | Annotations for the Forgejo pod                                             | `{}`                 |
-| `gitea.additionalConfigFromEnvs`         | Additional configuration sources from environment variables                                                                   | `[]`                 |
+| `gitea.ssh.logLevel`                   | Configure OpenSSH's log level. Only available for root-based Forgejo image. | `INFO`               |
 | `gitea.podAnnotations`                   | Annotations for the Forgejo pod                                                                                               | `{}`                 |
 | `gitea.ssh.logLevel`                     | Configure OpenSSH's log level. Only available for root-based Forgejo image.                                                   | `INFO`               |
 ### `app.ini` overrides
@ -1113,16 +1072,15 @@ blocks, while the keys themselves remain in all caps.
 ### ReadinessProbe
-| Name                                       | Description                                       | Value          |
+| Name                                       | Description                                       | Value  |
-| ------------------------------------------ | ------------------------------------------------- | -------------- |
+| ------------------------------------------ | ------------------------------------------------- | ------ |
-| `gitea.readinessProbe.enabled`             | Enable readiness probe                            | `true`         |
+| `gitea.readinessProbe.enabled`             | Enable readiness probe                            | `true` |
-| `gitea.readinessProbe.httpGet.path`        | Path to probe for readiness                       | `/api/healthz` |
+| `gitea.readinessProbe.tcpSocket.port`      | Port to probe for readiness                       | `http` |
-| `gitea.readinessProbe.httpGet.port`        | Port to probe for readiness                       | `http`         |
+| `gitea.readinessProbe.initialDelaySeconds` | Initial delay before readiness probe is initiated | `5`    |
-| `gitea.readinessProbe.initialDelaySeconds` | Initial delay before readiness probe is initiated | `5`            |
+| `gitea.readinessProbe.timeoutSeconds`      | Timeout for readiness probe                       | `1`    |
-| `gitea.readinessProbe.timeoutSeconds`      | Timeout for readiness probe                       | `1`            |
+| `gitea.readinessProbe.periodSeconds`       | Period for readiness probe                        | `10`   |
-| `gitea.readinessProbe.periodSeconds`       | Period for readiness probe                        | `10`           |
+| `gitea.readinessProbe.successThreshold`    | Success threshold for readiness probe             | `1`    |
-| `gitea.readinessProbe.successThreshold`    | Success threshold for readiness probe             | `1`            |
+| `gitea.readinessProbe.failureThreshold`    | Failure threshold for readiness probe             | `3`    |
 | `gitea.readinessProbe.failureThreshold`    | Failure threshold for readiness probe             | `3`            |
 ### StartupProbe
@ -1139,33 +1097,19 @@ blocks, while the keys themselves remain in all caps.
 ### Redis&reg; Cluster
 Redis&reg; Cluster is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/redis-cluster) if enabled in the values.
-Full configuration options are available on their website.
+Complete Configuration can be taken from their website.
 Redis cluster and [Redis](#redis) cannot be enabled at the same time.
 | Name                             | Description                                  | Value   |
 | -------------------------------- | -------------------------------------------- | ------- |
-| `redis-cluster.enabled`          | Enable redis cluster                         | `true`  |
+| `redis-cluster.enabled`          | Enable redis                                 | `true`  |
 | `redis-cluster.usePassword`      | Whether to use password authentication       | `false` |
 | `redis-cluster.cluster.nodes`    | Number of redis cluster master nodes         | `3`     |
 | `redis-cluster.cluster.replicas` | Number of redis cluster master node replicas | `0`     |
 ### Redis&reg;
 Redis&reg; is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/redis) if enabled in the values.
 Full configuration options are available on their website.
 Redis and [Redis cluster](#redis-cluster) cannot be enabled at the same time.
 | Name                          | Description                                | Value        |
 | ----------------------------- | ------------------------------------------ | ------------ |
 | `redis.enabled`               | Enable redis standalone or replicated      | `false`      |
 | `redis.architecture`          | Whether to use standalone or replication   | `standalone` |
 | `redis.global.redis.password` | Required password                          | `changeme`   |
 | `redis.master.count`          | Number of Redis master instances to deploy | `1`          |
 ### PostgreSQL HA
 PostgreSQL HA is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/postgresql-ha) if enabled in the values.
-Full configuration options are available on their website.
+Complete Configuration can be taken from their website.
 | Name                                        | Description                                                      | Value       |
 | ------------------------------------------- | ---------------------------------------------------------------- | ----------- |
@ -1183,7 +1127,7 @@ Full configuration options are available on their website.
 ### PostgreSQL
 PostgreSQL is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) if enabled in the values.
-Full configuration options are available on their website.
+Complete Configuration can be taken from their website.
 | Name                                                    | Description                                                      | Value   |
 | ------------------------------------------------------- | ---------------------------------------------------------------- | ------- |
@ -1198,11 +1142,11 @@ Full configuration options are available on their website.
 | Name               | Description                                                        | Value     |
 | ------------------ | ------------------------------------------------------------------ | --------- |
-| `checkDeprecation` | Whether to run this basic validation check.                        | `true`    |
+| `checkDeprecation` | Set it to false to skip this basic validation check.               | `true`    |
-| `test.enabled`     | Whether to use test-connection Pod.                                | `true`    |
+| `test.enabled`     | Set it to false to disable test-connection Pod.                    | `true`    |
 | `test.image.name`  | Image name for the wget container used in the test-connection Pod. | `busybox` |
 | `test.image.tag`   | Image tag for the wget container used in the test-connection Pod.  | `latest`  |
-| `extraDeploy`      | Array of extra objects to deploy with the release.                 | `[]`      |
+| `extraDeploy`      | Array of extra objects to deploy with the release                  | `[]`      |
 ## Contributing
@ -1218,38 +1162,11 @@ This section lists major and breaking changes of each Helm Chart version.
 Please read them carefully to upgrade successfully, especially the change of the **default database backend**!
 If you miss this, blindly upgrading may delete your Postgres instance and you may lose your data!
-### To v11
+### To v7.0.0
 PostgreSQL and PostgreSQL HA are now using PostgreSQL v17.
 Please read PostgresSQL upgrade guide before upgrading.
 You need Forgejo v10+ to use this Helm Chart version.
 Forgejo v9 is now EOL.
 ClusterIP is now emtpy instead of `None` for http and ssh service.
 Unsupported api versions for `Ingress` and `PodDisruptionBudget` are removed.
 `Ingress` and `Service` are now using named ports.
 The ReadinessProbe is now using the `/api/healthz` endpoint.
 ### To v10
 You need Forgejo v9+ to use this Helm Chart version.
 Forgejo v8 is now EOL.
 ### To v9
 Namespaces for all resources are now set to `common.names.namespace` by default.
 ### To v8
 You need Forgejo v8+ to use this Helm Chart version.
 Use the v7 Helm Chart for Forgejo v7.
 ### To v7
 The Forgejo docker image is pulled from `code.forgejo.org` instead of `codeberg.org`.
-### To v6
+### To v6.0.0
 You need Forgejo v7+ to use this Helm Chart version.
 Use the v5 Helm Chart for Forgejo v1.21.
--- a/ci/default-values.yaml
+++ b/ci/default-values.yaml
@ -1,20 +0,0 @@
 # default values with some modifications
 # Use mirror
 # https://code.forgejo.org/forgejo-helm/forgejo-helm/issues/1045
 global:
  security:
    allowInsecureImages: true
 redis-cluster:
  image:
    registry: public.ecr.aws
 postgresql-ha:
  postgresql:
    image:
      registry: public.ecr.aws
  pgpool:
    image:
      registry: public.ecr.aws
 test:
  image:
    name: code.forgejo.org/oci/busybox
--- a/ci/default.yml
+++ b/ci/default.yml
@ -0,0 +1 @@
 # default values
--- a/ci/dev-values.yaml
+++ b/ci/dev-values.yaml
@ -1,14 +1,11 @@
 # Test codeberg.org image
 image:
  registry: codeberg.org
 # Use mirror
 # https://code.forgejo.org/forgejo-helm/forgejo-helm/issues/1045
 test:
  image:
    name: code.forgejo.org/oci/busybox
 redis-cluster:
  enabled: false
 postgresql:
  enabled: false
 postgresql-ha:
  enabled: false
--- a/ci/single-values.yaml
+++ b/ci/single-values.yaml
@ -1,23 +1,9 @@
 redis-cluster:
  enabled: false
 postgresql-ha:
  enabled: false
 postgresql:
  enabled: true
-  # Use mirror
+postgresql-ha:
-  # https://code.forgejo.org/forgejo-helm/forgejo-helm/issues/1045
+  enabled: false
  image:
    registry: public.ecr.aws
 global:
  security:
    allowInsecureImages: true
 # Use mirror
 # https://code.forgejo.org/forgejo-helm/forgejo-helm/issues/1045
 test:
  image:
    name: code.forgejo.org/oci/busybox
 persistence:
  enabled: true
--- a/ci/v10-values.yaml
+++ b/ci/v10-values.yaml
@ -1,16 +1,12 @@
 image:
  registry: codeberg.org
  repository: forgejo-experimental/forgejo
-  tag: 10 # don't pin, manifests can be missing
+  tag: 7.0-test@sha256:02da8e3a15ae2889ceeb3214844f5e3f1fe026c85cc2a5b42ca66f00dc2defaa
 # Use mirror
 # https://code.forgejo.org/forgejo-helm/forgejo-helm/issues/1045
 test:
  image:
    name: code.forgejo.org/oci/busybox
 redis-cluster:
  enabled: false
 postgresql:
  enabled: false
 postgresql-ha:
  enabled: false
--- a/ci/v12-values.yaml
+++ b/ci/v12-values.yaml
@ -1,16 +1,12 @@
 image:
  registry: codeberg.org
  repository: forgejo-experimental/forgejo
-  tag: 12 # don't pin, manifests can be missing
+  tag: 8.0-test@sha256:46b8f580e17e65d62ae7a6ad8c0c61276ce08ef77152a5a8e05888180624722c
 # Use mirror
 # https://code.forgejo.org/forgejo-helm/forgejo-helm/issues/1045
 test:
  image:
    name: code.forgejo.org/oci/busybox
 redis-cluster:
  enabled: false
 postgresql:
  enabled: false
 postgresql-ha:
  enabled: false
--- a/ci/v11-values.yaml
+++ b/ci/v11-values.yaml
@ -1,16 +1,12 @@
 image:
  registry: codeberg.org
  repository: forgejo-experimental/forgejo
-  tag: 11 # don't pin, manifests can be missing
+  tag: 9.0-test@sha256:4ce089acda9355f6d5bc520bb6e651d3baf693a9fe0a15ad49c5f69fd58412ba
 # Use mirror
 # https://code.forgejo.org/forgejo-helm/forgejo-helm/issues/1045
 test:
  image:
    name: code.forgejo.org/oci/busybox
 redis-cluster:
  enabled: false
 postgresql:
  enabled: false
 postgresql-ha:
  enabled: false
--- a/package.json
+++ b/package.json
@ -11,21 +11,21 @@
    "prettier-fix": "prettier --write --ignore-unknown --cache '**/*.*'",
    "readme:lint": "markdownlint *.md -f",
    "readme:parameters": "readme-generator -v values.yaml -r README.md",
-    "test": "helm unittest --strict -f 'unittests/**/*.yaml' ./"
+    "test": "helm unittest --strict -f 'unittests/**/*.yaml' -f 'unittests/dependency-major-image-check.yaml' ./"
  },
  "devDependencies": {
-    "@bitnami/readme-generator-for-helm": "2.7.0",
+    "@bitnami/readme-generator-for-helm": "2.6.1",
    "clipanion": "3.2.1",
    "conventional-changelog-conventionalcommits": "8.0.0",
-    "conventional-changelog-core": "9.0.0",
+    "conventional-changelog-core": "8.0.0",
-    "husky": "9.1.7",
+    "husky": "9.1.4",
-    "lint-staged": "15.5.0",
+    "lint-staged": "15.2.8",
-    "markdownlint-cli": "0.44.0",
+    "markdownlint-cli": "0.41.0",
-    "prettier": "3.5.3"
+    "prettier": "3.3.3"
  },
-  "packageManager": "pnpm@10.7.0",
+  "packageManager": "pnpm@9.7.0",
  "engines": {
-    "node": "^22.0.0",
+    "node": "^18.12.0 || >=20.9.0",
-    "pnpm": "^10.0.0"
+    "pnpm": "^9.0.0"
  }
 }
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
--- a/renovate.json
+++ b/renovate.json
@ -1,23 +1,15 @@
 {
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
+  "extends": ["forgejo-contrib/forgejo-renovate//base.json"],
    "forgejo-contrib/forgejo-renovate//base.json",
    "forgejo-helm/forgejo-helm//.forgejo/renovate/k3s.json"
  ],
  "assignees": ["viceice"],
  "baseBranches": ["main", "/^maint\\/.+/"],
  "packageRules": [
    {
-      "description": "Separate multiple major sub chart updates",
+      "description": "Disable major chart updates for maintenance branches",
      "matchFileNames": ["Chart.yaml"],
      "separateMultipleMajor": true
    },
    {
      "description": "Require approval for major sub chart updates for maintenance branches",
      "matchBaseBranches": ["/^maint\\/.+/"],
      "matchUpdateTypes": ["major"],
      "matchFileNames": ["Chart.yaml"],
-      "dependencyDashboardApproval": true
+      "enabled": false
    },
    {
      "matchManagers": ["helmv3"],
@ -42,13 +34,13 @@
      "semanticCommitType": "feat"
    },
    {
-      "description": "Automerge and group helm subchart updates weekly (minor & patch)",
+      "description": "Automerge and group helm subchart updates daily (minor & patch)",
      "matchManagers": ["helmv3"],
      "matchFileNames": ["Chart.yaml"],
      "matchUpdateTypes": ["minor", "patch"],
      "automerge": true,
      "groupName": "subcharts",
-      "extends": ["schedule:weekly"]
+      "extends": ["schedule:daily"]
    },
    {
      "description": "Automerge dev deps updates",
@ -74,9 +66,21 @@
      "matchUpdateTypes": ["digest"],
      "automerge": true
    },
    {
      "description": "Separate minor and patch updates for kindest",
      "matchPackageNames": ["kindest/node"],
      "separateMinorPatch": true
    },
    {
      "description": "Require approval and no automerge for kindest major and minor updates",
      "matchPackageNames": ["kindest/node"],
      "matchUpdateTypes": ["major", "minor"],
      "dependencyDashboardApproval": true,
      "automerge": false
    },
    {
      "description": "Use test scope for forgejo ci tests",
-      "matchFileNames": ["ci/*.yaml"],
+      "matchFileNames": ["ci/*.yml"],
      "additionalBranchPrefix": "ci-forgejo-",
      "semanticCommitType": "ci",
      "semanticCommitScope": "forgejo",
@ -85,15 +89,10 @@
    },
    {
      "description": "Disable updates for forgejo ci tests",
-      "matchFileNames": ["ci/*.yaml"],
+      "matchFileNames": ["ci/*.yml"],
      "matchUpdateTypes": ["major", "minor", "patch"],
      "enabled": false
    },
    {
      "description": "Don't pin digests for forgejo ci tests, not supported",
      "matchFileNames": ["ci/*.yaml"],
      "pinDigests": false
    },
    {
      "description": "branch automerge not possible",
      "automergeType": "pr",
@ -123,15 +122,16 @@
    },
    {
      "customType": "regex",
-      "description": "Update k3s kubernetes references",
+      "description": "Update kindest kubernetes references",
      "fileMatch": ["^\\.forgejo/workflows/[^/]+\\.ya?ml$"],
-      "matchStrings": [" +- (?<currentValue>.+?) # renovate: k3s\\n"],
+      "matchStrings": [
-      "depNameTemplate": "k3s",
+        " +- (?<currentValue>v\\d+\\.\\d+\\.\\d+) # renovate: kindest\\n"
-      "packageNameTemplate": "k3s-io/k3s",
+      ],
-      "datasourceTemplate": "github-releases"
+      "depNameTemplate": "kindest/node",
      "datasourceTemplate": "docker"
    }
  ],
  "helm-values": {
-    "fileMatch": ["^ci/.+\\.yaml$"]
+    "fileMatch": ["^ci/.+\\.yml$"]
  }
 }
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@ -32,14 +32,6 @@ Create chart name and version as used by the chart label.
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 {{/*
 Get version from .Values.image.tag or Chart.AppVersion.
 Trim optional docker digest.
 */}}
 {{- define "gitea.version" -}}
 {{- regexReplaceAll "@.+" (.Values.image.tag | default .Chart.AppVersion | toString) "" -}}
 {{- end -}}
 {{/*
 Create image name and tag used by the deployment.
 */}}
@ -82,7 +74,7 @@ imagePullSecrets:
 Storage Class
 */}}
 {{- define "gitea.persistence.storageClass" -}}
-{{- $storageClass :=  (tpl ( default "" .Values.persistence.storageClass) .) | default (tpl ( default "" .Values.global.storageClass) .) }}
+{{- $storageClass := .Values.persistence.storageClass | default .Values.global.storageClass }}
 {{- if $storageClass }}
 storageClassName: {{ $storageClass | quote }}
 {{- end }}
@ -95,8 +87,8 @@ Common labels
 helm.sh/chart: {{ include "gitea.chart" . }}
 app: {{ include "gitea.name" . }}
 {{ include "gitea.selectorLabels" . }}
-app.kubernetes.io/version: {{ include "gitea.version" . | quote }}
+app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
-version: {{ include "gitea.version" . | quote }}
+version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end -}}
@ -121,28 +113,20 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 {{- define "redis.dns" -}}
-{{- if and ((index .Values "redis-cluster").enabled) ((index .Values "redis").enabled) -}}
+{{- if (index .Values "redis-cluster").enabled -}}
 {{- fail "redis and redis-cluster cannot be enabled at the same time. Please only choose one." -}}
 {{- else if (index .Values "redis-cluster").enabled -}}
 {{- printf "redis+cluster://:%s@%s-redis-cluster-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "redis-cluster").global.redis.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "redis-cluster").service.ports.redis -}}
 {{- else if (index .Values "redis").enabled -}}
 {{- printf "redis://:%s@%s-redis-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "redis").global.redis.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "redis").master.service.ports.redis -}}
 {{- end -}}
 {{- end -}}
 {{- define "redis.port" -}}
 {{- if (index .Values "redis-cluster").enabled -}}
 {{ (index .Values "redis-cluster").service.ports.redis }}
 {{- else if (index .Values "redis").enabled -}}
 {{ (index .Values "redis").master.service.ports.redis }}
 {{- end -}}
 {{- end -}}
 {{- define "redis.servicename" -}}
 {{- if (index .Values "redis-cluster").enabled -}}
 {{- printf "%s-redis-cluster-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
 {{- else if (index .Values "redis").enabled -}}
 {{- printf "%s-redis-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
 {{- end -}}
 {{- end -}}
@ -224,7 +208,7 @@ https
        {{- $_ := set $inlines $key (join "\n" $section) -}}
      {{- end -}}
    {{- else }}
-      {{- if or (eq $key "APP_NAME") (eq $key "RUN_USER") (eq $key "RUN_MODE") (eq $key "APP_SLOGAN") (eq $key "APP_DISPLAY_NAME_FORMAT") -}}
+      {{- if or (eq $key "APP_NAME") (eq $key "RUN_USER") (eq $key "RUN_MODE") -}}
        {{- $generals = append $generals (printf "%s=%s" $key $value) -}}
      {{- else -}}
        {{- (printf "Key %s cannot be on top level of configuration" $key) | fail -}}
@ -287,7 +271,7 @@ https
    {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}}
  {{- end -}}
  {{- /* redis queue */ -}}
-  {{- if or ((index .Values "redis-cluster").enabled) ((index .Values "redis").enabled) -}}
+  {{- if (index .Values "redis-cluster").enabled -}}
    {{- $_ := set .Values.gitea.config.queue "TYPE" "redis" -}}
    {{- $_ := set .Values.gitea.config.queue "CONN_STR" (include "redis.dns" .) -}}
    {{- $_ := set .Values.gitea.config.session "PROVIDER" "redis" -}}
@ -408,11 +392,3 @@ https
 {{- define "gitea.serviceAccountName" -}}
 {{ .Values.serviceAccount.name | default (include "gitea.fullname" .) }}
 {{- end -}}
 {{- define "gitea.admin.passwordMode" -}}
 {{- if has .Values.gitea.admin.passwordMode (tuple "keepUpdated" "initialOnlyNoReset" "initialOnlyRequireReset") -}}
 {{ .Values.gitea.admin.passwordMode }}
 {{- else -}}
 {{ printf "gitea.admin.passwordMode must be set to one of 'keepUpdated', 'initialOnlyNoReset', or 'initialOnlyRequireReset'. Received: '%s'" .Values.gitea.admin.passwordMode | fail }}
 {{- end -}}
 {{- end -}}
--- a/templates/gitea/config.yaml
+++ b/templates/gitea/config.yaml
@ -2,7 +2,6 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "gitea.fullname" . }}-inline-config
  namespace: {{ include "common.names.namespace" . | quote }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
@ -89,18 +88,15 @@ stringData:
      env2ini::log "    + '${setting}'"
      local masked_setting="${setting//./_0X2E_}"                           # '//' instructs to replace all matches
      masked_setting="${masked_setting//-/_0X2D_}"
      if [[ -z "${section}" ]]; then
-        export "FORGEJO____${masked_setting^^}=${value}"                           # '^^' makes the variable content uppercase
+        export "FORGEJO____${setting^^}=${value}"                           # '^^' makes the variable content uppercase
        return
      fi
      local masked_section="${section//./_0X2E_}"                           # '//' instructs to replace all matches
      masked_section="${masked_section//-/_0X2D_}"
-      export "FORGEJO__${masked_section^^}__${masked_setting^^}=${value}"          # '^^' makes the variable content uppercase
+      export "FORGEJO__${masked_section^^}__${setting^^}=${value}"          # '^^' makes the variable content uppercase
    }
    function env2ini::reload_preset_envs() {
--- a/templates/gitea/deployment.yaml
+++ b/templates/gitea/deployment.yaml
@ -2,7 +2,6 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "gitea.fullname" . }}
  namespace: {{ include "common.names.namespace" . | quote }}
  annotations:
    {{- if .Values.deployment.annotations }}
    {{- toYaml .Values.deployment.annotations | nindent 4 }}
@ -57,7 +56,7 @@ spec:
      {{- end }}
      {{- include "gitea.images.pullSecrets" . | nindent 6 }}
      securityContext:
-        {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }}
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
      initContainers:
        - name: init-directories
          image: "{{ include "gitea.image" . }}"
@ -91,7 +90,7 @@ spec:
              {{- end }}
            {{- include "gitea.init-additional-mounts" . | nindent 12 }}
          securityContext:
-            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
+            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
          resources:
            {{- toYaml .Values.initContainers.resources | nindent 12 }}
        - name: init-app-ini
@ -131,7 +130,7 @@ spec:
            {{- end }}
            {{- include "gitea.init-additional-mounts" . | nindent 12 }}
          securityContext:
-            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
+            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
          resources:
            {{- toYaml .Values.initContainers.resources | nindent 12 }}
        {{- if .Values.signing.enabled }}
@ -145,7 +144,7 @@ spec:
            {{- if not (hasKey $csc "runAsUser") -}}
            {{- $_ := set $csc "runAsUser" 1000 -}}
            {{- end -}}
-            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $csc "context" $) | nindent 12 }}
+            {{- toYaml $csc | nindent 12 }}
          env:
            - name: GNUPGHOME
              value: {{ .Values.signing.gpgHome }}
@ -176,7 +175,7 @@ spec:
            {{- if not (hasKey $csc "runAsUser") -}}
            {{- $_ := set $csc "runAsUser" 1000 -}}
            {{- end -}}
-            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $csc "context" $) | nindent 12 }}
+            {{- toYaml $csc | nindent 12 }}
          env:
            - name: GITEA_APP_INI
              value: /data/gitea/conf/app.ini
@ -244,8 +243,6 @@ spec:
            - name: GITEA_ADMIN_PASSWORD
              value: {{ .Values.gitea.admin.password | quote }}
            {{- end }}
            - name: GITEA_ADMIN_PASSWORD_MODE
              value: {{ include "gitea.admin.passwordMode" $ }}
            {{- if .Values.deployment.env }}
            {{- toYaml .Values.deployment.env | nindent 12 }}
            {{- end }}
@ -327,9 +324,9 @@ spec:
          securityContext:
            {{- /* Honor the deprecated securityContext variable when defined */ -}}
            {{- if .Values.containerSecurityContext -}}
-            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
+            {{ toYaml .Values.containerSecurityContext | nindent 12 -}}
            {{- else -}}
-            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.securityContext "context" $) | nindent 12 }}
+            {{ toYaml .Values.securityContext | nindent 12 -}}
            {{- end }}
          volumeMounts:
            - name: temp
--- a/templates/gitea/gpg-secret.yaml
+++ b/templates/gitea/gpg-secret.yaml
@ -7,7 +7,6 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "gitea.gpg-key-secret-name" . }}
  namespace: {{ include "common.names.namespace" . | quote }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
--- a/templates/gitea/http-svc.yaml
+++ b/templates/gitea/http-svc.yaml
@ -2,7 +2,6 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "gitea.fullname" . }}-http
  namespace: {{ include "common.names.namespace" . | quote }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
    {{- if .Values.service.http.labels }}
@ -12,11 +11,7 @@ metadata:
    {{- toYaml .Values.service.http.annotations | nindent 4 }}
 spec:
  type: {{ .Values.service.http.type }}
-  {{- if eq .Values.service.http.type "LoadBalancer" }}
+  {{- if and .Values.service.http.loadBalancerIP (eq .Values.service.http.type "LoadBalancer") }}
  {{- if .Values.service.http.loadBalancerClass }}
  loadBalancerClass: {{ .Values.service.http.loadBalancerClass }}
  {{- end }}
  {{- if and .Values.service.http.loadBalancerIP }}
  loadBalancerIP: {{ .Values.service.http.loadBalancerIP  }}
  {{- end }}
  {{- if .Values.service.http.loadBalancerSourceRanges }}
@ -25,7 +20,6 @@ spec:
    - {{ . }}
  {{- end }}
  {{- end }}
  {{- end }}
  {{- if .Values.service.http.externalIPs }}
  externalIPs:
    {{- toYaml .Values.service.http.externalIPs | nindent 4 }}
@ -49,6 +43,6 @@ spec:
    {{- if  .Values.service.http.nodePort }}
    nodePort: {{ .Values.service.http.nodePort }}
    {{- end }}
-    targetPort: http
+    targetPort: {{ .Values.gitea.config.server.HTTP_PORT }}
  selector:
    {{- include "gitea.selectorLabels" . | nindent 4 }}
--- a/templates/gitea/ingress.yaml
+++ b/templates/gitea/ingress.yaml
@ -1,10 +1,18 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "gitea.fullname" . -}}
-apiVersion: networking.k8s.io/v1
+{{- $httpPort := .Values.service.http.port -}}
 {{- $apiVersion := "extensions/v1beta1" -}}
 {{- if .Values.ingress.apiVersion -}}
 {{- $apiVersion = .Values.ingress.apiVersion -}}
 {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}}
 {{- $apiVersion = "networking.k8s.io/v1" }}
 {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" -}}
 {{- $apiVersion = "networking.k8s.io/v1beta1" }}
 {{- end }}
 apiVersion: {{ $apiVersion }}
 kind: Ingress
 metadata:
  name: {{ $fullName }}
  namespace: {{ include "common.names.namespace" . | quote }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
  annotations:
@ -13,7 +21,7 @@ metadata:
    {{- end }}
 spec:
 {{- if .Values.ingress.className }}
-  ingressClassName: {{ tpl .Values.ingress.className . }}
+  ingressClassName: {{ .Values.ingress.className }}
 {{- end }}
 {{- if .Values.ingress.tls }}
  tls:
@ -32,14 +40,19 @@ spec:
        paths:
          {{- range .paths }}
          - path: {{ .path }}
-            {{- if .pathType }}
+            {{- if and .pathType (eq $apiVersion "networking.k8s.io/v1") }}
            pathType: {{ .pathType }}
            {{- end }}
            backend:
            {{- if eq $apiVersion "networking.k8s.io/v1" }}
              service:
                name: {{ $fullName }}-http
                port:
-                  name: http
+                  number: {{ $httpPort }}
            {{- else }}
              serviceName: {{ $fullName }}-http
              servicePort: {{ $httpPort }}
            {{- end }}
          {{- end }}
    {{- end }}
 {{- end }}
--- a/templates/gitea/init.yaml
+++ b/templates/gitea/init.yaml
@ -2,7 +2,6 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "gitea.fullname" . }}-init
  namespace: {{ include "common.names.namespace" . | quote }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
@ -110,26 +109,13 @@ stringData:
      local ACCOUNT_ID=$(echo "${actual_user_table}" | grep -E "\s+${GITEA_ADMIN_USERNAME}\s+" | awk -F " " "{printf \$1}")
      if [[ -z "${ACCOUNT_ID}" ]]; then
        local -a create_args
        create_args=(--admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }})
        if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = initialOnlyRequireReset ]]; then
          create_args+=(--must-change-password=true)
        else
          create_args+=(--must-change-password=false)
        fi
        echo "No admin user '${GITEA_ADMIN_USERNAME}' found. Creating now..."
-        gitea admin user create "${create_args[@]}"
+        gitea admin user create --admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }} --must-change-password=false
        echo '...created.'
      else
-        if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = keepUpdated ]]; then
+        echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..."
-          echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..."
+        gitea admin user change-password --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --must-change-password=false
-          local -a change_args
+        echo '...password sync done.'
          change_args=(--username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --must-change-password=false)
          gitea admin user change-password "${change_args[@]}"
          echo '...password sync done.'
        else
          echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist, but update mode is set to '${GITEA_ADMIN_PASSWORD_MODE}'. Skipping."
        fi
      fi
    }
--- a/templates/gitea/poddisruptionbudget.yaml
+++ b/templates/gitea/poddisruptionbudget.yaml
@ -1,9 +1,12 @@
 {{- if .Values.podDisruptionBudget -}}
 {{- if .Capabilities.APIVersions.Has "policy/v1" }}
 apiVersion: policy/v1
 {{- else }}
 apiVersion: policy/v1beta1
 {{- end }}
 kind: PodDisruptionBudget
 metadata:
  name: {{ include "gitea.fullname" . }}
  namespace: {{ include "common.names.namespace" . | quote }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
 spec:
--- a/templates/gitea/pvc.yaml
+++ b/templates/gitea/pvc.yaml
@ -3,7 +3,7 @@ kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: {{ .Values.persistence.claimName }}
-  namespace: {{ include "common.names.namespace" . | quote }}
+  namespace: {{ $.Release.Namespace }}
  annotations:
 {{ .Values.persistence.annotations | toYaml | indent 4}}
 {{- if .Values.persistence.labels }}
--- a/templates/gitea/route.yaml
+++ b/templates/gitea/route.yaml
@ -1,43 +0,0 @@
 {{- if .Values.route.enabled -}}
 apiVersion: route.openshift.io/v1
 kind: Route
 metadata:
  name: {{ include "gitea.fullname" . }}-http
  namespace: {{ include "common.names.namespace" . | quote }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
  annotations:
    {{- toYaml .Values.route.annotations | nindent 4 }}
 spec:
  {{- if .Values.route.host }}
  host: {{ tpl .Values.route.host $ | quote }}
  {{- end }}
  {{- if .Values.route.wildcardPolicy }}
  wildcardPolicy: {{ .Values.route.wildcardPolicy }}
  {{- end }}
  to:
    kind: Service
    name: {{ include "gitea.fullname" . }}-http
    weight: 100
  port:
    targetPort: http
  tls:
    termination: edge
    insecureEdgeTerminationPolicy: Redirect
    {{- if .Values.route.tls.existingSecret }}
    externalCertificate: {{ .Values.route.tls.existingSecret }}
    {{- else if and .Values.route.tls.certificate
                    .Values.route.tls.privateKey
                    .Values.route.tls.caCertificate }}
    certificate: |
 {{ .Values.route.tls.certificate | indent 6 }}
    key: |
 {{ .Values.route.tls.privateKey | indent 6 }}
    caCertificate: |
 {{ .Values.route.tls.caCertificate | indent 6 }}
    {{- else if or .Values.route.tls.certificate
                    .Values.route.tls.privateKey
                    .Values.route.tls.caCertificate }}
    {{- fail "certificate, privateKey and caCertificate must be specified together" }}
    {{- end }}
 {{- end }}
--- a/templates/gitea/serviceaccount.yaml
+++ b/templates/gitea/serviceaccount.yaml
@ -3,7 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "gitea.serviceAccountName" . }}
-  namespace: {{ include "common.names.namespace" . | quote }}
+  namespace: {{ .Release.Namespace | quote }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
    {{- with .Values.serviceAccount.labels }}
--- a/templates/gitea/servicemonitor.yaml
+++ b/templates/gitea/servicemonitor.yaml
@ -3,7 +3,6 @@ apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: {{ include "gitea.fullname" . }}
  namespace: {{ default (include "common.names.namespace" .) .Values.gitea.metrics.serviceMonitor.namespace | quote }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
    {{- if .Values.gitea.metrics.serviceMonitor.additionalLabels }}
--- a/templates/gitea/ssh-svc.yaml
+++ b/templates/gitea/ssh-svc.yaml
@ -2,7 +2,6 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "gitea.fullname" . }}-ssh
  namespace: {{ include "common.names.namespace" . | quote }}
  labels:
    {{- include "gitea.labels" . | nindent 4 }}
    {{- if .Values.service.ssh.labels }}
@ -13,9 +12,6 @@ metadata:
 spec:
  type: {{ .Values.service.ssh.type }}
  {{- if eq .Values.service.ssh.type "LoadBalancer" }}
  {{- if .Values.service.ssh.loadBalancerClass }}
  loadBalancerClass: {{ .Values.service.ssh.loadBalancerClass }}
  {{- end }}
  {{- if .Values.service.ssh.loadBalancerIP }}
  loadBalancerIP: {{ .Values.service.ssh.loadBalancerIP }}
  {{- end -}}
@ -47,7 +43,7 @@ spec:
  - name: ssh
    port: {{ .Values.service.ssh.port }}
    {{- if .Values.gitea.config.server.SSH_LISTEN_PORT }}
-    targetPort: ssh
+    targetPort: {{ .Values.gitea.config.server.SSH_LISTEN_PORT }}
    {{- end }}
    protocol: TCP
    {{- if .Values.service.ssh.nodePort }}
--- a/templates/tests/test-http-connection.yaml
+++ b/templates/tests/test-http-connection.yaml
@ -6,7 +6,7 @@ metadata:
  labels:
 {{ include "gitea.labels" . | nindent 4 }}
  annotations:
-    "helm.sh/hook": test
+    "helm.sh/hook": test-success
 spec:
  containers:
    - name: wget
--- a/tools/changelog.mjs
+++ b/tools/changelog.mjs
@ -1,12 +1,67 @@
-import { getChangelog } from './changelog/util.js';
+import conventionalChangelogCore from 'conventional-changelog-core';
 import conventionalChangelogPreset from 'conventional-changelog-conventionalcommits';
 import fs from 'node:fs';
-const stream = getChangelog(!!process.argv[2]).setEncoding('utf8');
+const config = conventionalChangelogPreset({
  types: [
    {
      type: 'feat',
      section: 'Features',
    },
    {
      type: 'fix',
      section: 'Bug Fixes',
    },
    {
      type: 'perf',
      section: 'Performance Improvements',
    },
    {
      type: 'revert',
      section: 'Reverts',
    },
    {
      type: 'docs',
      section: 'Documentation',
    },
    {
      type: 'style',
      section: 'Styles',
    },
    {
      type: 'refactor',
      section: 'Code Refactoring',
    },
    {
      type: 'test',
      section: 'Tests',
    },
    {
      type: 'build',
      section: 'Build System',
    },
    {
      type: 'ci',
      section: 'Continuous Integration',
    },
    {
      type: 'chore',
      section: 'Miscellaneous Chores',
    },
  ],
 });
-const changes = (await stream.toArray()).join('');
+const file = process.argv[3]
  ? fs.createWriteStream(process.argv[3])
  : process.stdout;
-if (!changes.length) {
+conventionalChangelogCore(
-  console.error('No changelog found');
+  {
-  process.exit(1);
+    config,
-}
+    releaseCount: 2,
-
+  },
-process.stdout.write(changes);
+  { version: process.argv[2], linkCompare: false },
  undefined,
  undefined,
  { headerPartial: '' },
 ).pipe(file);
--- a/tools/changelog/util.js
+++ b/tools/changelog/util.js
@ -56,16 +56,17 @@ export const config = conventionalChangelogPreset({
 /**
 *
- * @param {boolean|undefined} onTag
+ * @param {string} version
 * @param {boolean} onTag
 * @returns
 */
-export function getChangelog(onTag = false) {
+export function getChangelog(version, onTag) {
  return conventionalChangelogCore(
    {
      config,
      releaseCount: onTag ? 2 : 1,
    },
-    undefined,
+    { version, linkCompare: false },
    undefined,
    undefined,
    { headerPartial: '' },
--- a/tools/ct.yml
+++ b/tools/ct.yml
@ -1,4 +1,3 @@
 # https://github.com/helm/chart-testing/blob/main/doc/ct_install.md
 helm-extra-args: --timeout 3m
 check-version-increment: false
 debug: true
--- a/tools/forgejo-release.js
+++ b/tools/forgejo-release.js
@ -68,7 +68,7 @@ class GiteaReleaseCommand extends Command {
      return 1;
    }
-    const stream = getChangelog(true).setEncoding('utf8');
+    const stream = getChangelog(tag, true).setEncoding('utf8');
    const changes = (await stream.toArray()).join('');
    this.context.stdout.write(`Creating release ${tag}.\n`);
--- a/unittests/config/cache-config.yaml
+++ b/unittests/config/cache-config.yaml
@ -8,8 +8,6 @@ tests:
    set:
      redis-cluster:
        enabled: true
      redis:
        enabled: false
    asserts:
      - documentIndex: 0
        equal:
@ -18,28 +16,11 @@ tests:
            ADAPTER=redis
            HOST=redis+cluster://:@gitea-unittests-redis-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
-  - it: 'cache is configured correctly for redis'
+  - it: "cache is configured correctly for 'memory' when redis-cluster is disabled"
    template: templates/gitea/config.yaml
    set:
      redis-cluster:
        enabled: false
      redis:
        enabled: true
    asserts:
      - documentIndex: 0
        equal:
          path: stringData.cache
          value: |-
            ADAPTER=redis
            HOST=redis://:changeme@gitea-unittests-redis-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
  - it: "cache is configured correctly for 'memory' when redis (or redis-cluster) is disabled"
    template: templates/gitea/config.yaml
    set:
      redis-cluster:
        enabled: false
      redis:
        enabled: false
    asserts:
      - documentIndex: 0
        equal:
@ -48,13 +29,11 @@ tests:
            ADAPTER=memory
            HOST=
-  - it: 'cache can be customized when redis (or redis-cluster) is disabled'
+  - it: 'cache can be customized when redis-cluster is disabled'
    template: templates/gitea/config.yaml
    set:
      redis-cluster:
        enabled: false
      redis:
        enabled: false
      gitea.config.cache.ADAPTER: custom-adapter
      gitea.config.cache.HOST: custom-host
    asserts:
--- a/unittests/config/queue-config.yaml
+++ b/unittests/config/queue-config.yaml
@ -8,8 +8,6 @@ tests:
    set:
      redis-cluster:
        enabled: true
      redis:
        enabled: false
    asserts:
      - documentIndex: 0
        equal:
@ -18,28 +16,11 @@ tests:
            CONN_STR=redis+cluster://:@gitea-unittests-redis-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
            TYPE=redis
-  - it: 'queue is configured correctly for redis'
+  - it: "queue is configured correctly for 'levelDB' when redis-cluster is disabled"
    template: templates/gitea/config.yaml
    set:
      redis-cluster:
        enabled: false
      redis:
        enabled: true
    asserts:
      - documentIndex: 0
        equal:
          path: stringData.queue
          value: |-
            CONN_STR=redis://:changeme@gitea-unittests-redis-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
            TYPE=redis
  - it: "queue is configured correctly for 'levelDB' when redis (and redis-cluster) is disabled"
    template: templates/gitea/config.yaml
    set:
      redis-cluster:
        enabled: false
      redis:
        enabled: false
    asserts:
      - documentIndex: 0
        equal:
@ -48,13 +29,11 @@ tests:
            CONN_STR=
            TYPE=level
-  - it: 'queue can be customized when redis (and redis-cluster) are disabled'
+  - it: 'queue can be customized when redis-cluster is disabled'
    template: templates/gitea/config.yaml
    set:
      redis-cluster:
        enabled: false
      redis:
        enabled: false
      gitea.config.queue.TYPE: custom-type
      gitea.config.queue.CONN_STR: custom-connection-string
    asserts:
--- a/unittests/config/session-config.yaml
+++ b/unittests/config/session-config.yaml
@ -8,8 +8,6 @@ tests:
    set:
      redis-cluster:
        enabled: true
      redis:
        enabled: false
    asserts:
      - documentIndex: 0
        equal:
@ -18,28 +16,11 @@ tests:
            PROVIDER=redis
            PROVIDER_CONFIG=redis+cluster://:@gitea-unittests-redis-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
-  - it: 'session is configured correctly for redis'
+  - it: "session is configured correctly for 'memory' when redis-cluster is disabled"
    template: templates/gitea/config.yaml
    set:
      redis-cluster:
        enabled: false
      redis:
        enabled: true
    asserts:
      - documentIndex: 0
        equal:
          path: stringData.session
          value: |-
            PROVIDER=redis
            PROVIDER_CONFIG=redis://:changeme@gitea-unittests-redis-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
  - it: "session is configured correctly for 'memory' when redis (and redis-cluster) is disabled"
    template: templates/gitea/config.yaml
    set:
      redis-cluster:
        enabled: false
      redis:
        enabled: false
    asserts:
      - documentIndex: 0
        equal:
@ -48,13 +29,11 @@ tests:
            PROVIDER=memory
            PROVIDER_CONFIG=
-  - it: 'session can be customized when redis (and redis-cluster) is disabled'
+  - it: 'session can be customized when redis-cluster is disabled'
    template: templates/gitea/config.yaml
    set:
      redis-cluster:
        enabled: false
      redis:
        enabled: false
      gitea.config.session.PROVIDER: custom-provider
      gitea.config.session.PROVIDER_CONFIG: custom-provider-config
    asserts:
--- a/unittests/dependency-major-image-check.yaml
+++ b/unittests/dependency-major-image-check.yaml
@ -15,7 +15,7 @@ tests:
        matchRegex:
          path: spec.template.spec.containers[0].image
          # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
-          pattern: ^docker.io/bitnami/postgresql-repmgr:17.+$
+          pattern: ^docker.io/bitnami/postgresql-repmgr:16.+$
  - it: '[postgresql] ensures we detect major image version upgrades'
    template: charts/postgresql/templates/primary/statefulset.yaml
    set:
@ -28,30 +28,15 @@ tests:
        matchRegex:
          path: spec.template.spec.containers[0].image
          # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
-          pattern: ^docker.io/bitnami/postgresql:17.+$
+          pattern: ^docker.io/bitnami/postgresql:16.+$
  - it: '[redis-cluster] ensures we detect major image version upgrades'
    template: charts/redis-cluster/templates/redis-statefulset.yaml
    set:
      redis-cluster:
        enabled: true
      redis:
        enabled: false
    asserts:
      - documentIndex: 0
        matchRegex:
          path: spec.template.spec.containers[0].image
          # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
-          pattern: bitnami/redis-cluster:7.+$
+          pattern: ^docker.io/bitnami/redis-cluster:7.+$
  - it: '[redis] ensures we detect major image version upgrades'
    template: charts/redis/templates/master/application.yaml
    set:
      redis-cluster:
        enabled: false
      redis:
        enabled: true
    asserts:
      - documentIndex: 0
        matchRegex:
          path: spec.template.spec.containers[0].image
          # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
          pattern: bitnami/redis:7.+$
--- a/unittests/deployment/ingress-configuration.yaml
+++ b/unittests/deployment/ingress-configuration.yaml
@ -15,33 +15,9 @@ tests:
          hosts:
            - '{{ .Values.global.giteaHostName }}'
    asserts:
      - isKind:
          of: Ingress
      - equal:
          path: spec.tls[0].hosts[0]
          value: 'gitea.example.com'
      - equal:
          path: spec.rules[0].host
          value: 'gitea.example.com'
  - it: Ingress Class using TPL
    set:
      global.ingress.className: 'ingress-class'
      ingress.className: '{{ .Values.global.ingress.className }}'
      ingress.enabled: true
      ingress.hosts[0].host: 'some-host'
      ingress.tls:
        - secretName: gitea-tls
          hosts:
            - 'some-host'
    asserts:
      - isKind:
          of: Ingress
      - equal:
          path: spec.tls[0].hosts[0]
          value: 'some-host'
      - equal:
          path: spec.rules[0].host
          value: 'some-host'
      - equal:
          path: spec.ingressClassName
          value: 'ingress-class'
--- a/unittests/deployment/route-configuration.yaml
+++ b/unittests/deployment/route-configuration.yaml
@ -1,155 +0,0 @@
 # $schema: https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
 suite: route template
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/route.yaml
 tests:
  - it: hostname using TPL
    set:
      global.giteaHostName: 'gitea.example.com'
      route.enabled: true
      route.host: '{{ .Values.global.giteaHostName }}'
    asserts:
      - isKind:
          of: Route
      - equal:
          path: spec.host
          value: 'gitea.example.com'
      - notExists:
          path: spec.wildcardPolicy
  - it: wildcard policy
    set:
      global.giteaHostName: 'gitea.example.com'
      route.enabled: true
      route.wildcardPolicy: 'Subdomain'
    asserts:
      - isKind:
          of: Route
      - equal:
          path: spec.wildcardPolicy
          value: 'Subdomain'
  - it: existing certificate
    set:
      route.enabled: true
      route.tls.existingSecret: certificate-secret
      route.tls.certificate: |
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----
      route.tls.privateKey: |
        -----BEGIN PRIVATE KEY-----
        ...
        -----END PRIVATE KEY-----
      route.tls.caCertificate: |
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----
    asserts:
      - isKind:
          of: Route
      - equal:
          path: spec.tls.externalCertificate
          value: certificate-secret
      - notExists:
          path: spec.tls.certificate
      - notExists:
          path: spec.tls.key
      - notExists:
          path: spec.tls.caCertificate
  - it: valid certificate values
    set:
      route.enabled: true
      route.tls.certificate: |
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----
      route.tls.privateKey: |
        -----BEGIN PRIVATE KEY-----
        ...
        -----END PRIVATE KEY-----
      route.tls.caCertificate: |
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----
    asserts:
      - isKind:
          of: Route
      - notExists:
          path: spec.tls.externalCertificate
      - equal:
          path: spec.tls.certificate
          value: |
            -----BEGIN CERTIFICATE-----
            ...
            -----END CERTIFICATE-----
      - equal:
          path: spec.tls.key
          value: |
            -----BEGIN PRIVATE KEY-----
            ...
            -----END PRIVATE KEY-----
      - equal:
          path: spec.tls.caCertificate
          value: |
            -----BEGIN CERTIFICATE-----
            ...
            -----END CERTIFICATE-----
            -----BEGIN CERTIFICATE-----
            ...
            -----END CERTIFICATE-----
  - it: missing certificate values
    set:
      route.enabled: true
      route.tls.privateKey: |
        -----BEGIN PRIVATE KEY-----
        ...
        -----END PRIVATE KEY-----
      route.tls.caCertificate: |
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----
    asserts:
      - failedTemplate:
          errorMessage: certificate, privateKey and caCertificate must be specified together
  - it: missing privateKey values
    set:
      route.enabled: true
      route.tls.certificate: |
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----
      route.tls.caCertificate: |
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----
    asserts:
      - failedTemplate:
          errorMessage: certificate, privateKey and caCertificate must be specified together
  - it: missing caCertificate values
    set:
      route.enabled: true
      route.tls.certificate: |
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----
      route.tls.privateKey: |
        -----BEGIN PRIVATE KEY-----
        ...
        -----END PRIVATE KEY-----
    asserts:
      - failedTemplate:
          errorMessage: certificate, privateKey and caCertificate must be specified together
--- a/unittests/deployment/security-context-normal.yaml
+++ b/unittests/deployment/security-context-normal.yaml
@ -1,25 +0,0 @@
 # $schema: https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
 suite: deployment template (security context)
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/deployment.yaml
  - templates/gitea/config.yaml
 tests:
  - it: FS group set to 1000
    template: templates/gitea/deployment.yaml
    set:
      image.rootless: false
    asserts:
      - equal:
          path: spec.template.spec.securityContext.fsGroup
          value: 1000
  - it: run configure-gitea with UID 1000
    template: templates/gitea/deployment.yaml
    set:
      image.rootless: false
    asserts:
      - equal:
          path: spec.template.spec.initContainers[?(@.name == 'configure-gitea')].securityContext.runAsUser
          value: 1000
--- a/unittests/deployment/security-context-ocp.yaml
+++ b/unittests/deployment/security-context-ocp.yaml
@ -1,25 +0,0 @@
 # $schema: https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
 suite: deployment template (security context)
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/deployment.yaml
  - templates/gitea/config.yaml
 tests:
  - it: FS group not set
    template: templates/gitea/deployment.yaml
    set:
      image.rootless: false
      global.compatibility.openshift.adaptSecurityContext: force
    asserts:
      - notExists:
          path: spec.template.spec.securityContext.fsGroup
  - it: configure-gitea without runaAsUser
    template: templates/gitea/deployment.yaml
    set:
      image.rootless: false
      global.compatibility.openshift.adaptSecurityContext: force
    asserts:
      - notExists:
          path: spec.template.spec.initContainers[?(@.name == 'configure-gitea')].securityContext.runAsUser
--- a/unittests/deployment/svc-configuration.yaml
+++ b/unittests/deployment/svc-configuration.yaml
@ -58,71 +58,4 @@ tests:
          value: 22
      - equal:
          path: spec.ports[0].targetPort
-          value: ssh
+          value: 2222
  - it: render service.ssh.loadBalancerClass if set and type is LoadBalancer
    template: templates/gitea/ssh-svc.yaml
    set:
      service:
        ssh:
          loadBalancerClass: 'example.com/class'
          type: LoadBalancer
          loadBalancerIP: '1.2.3.4'
          loadBalancerSourceRanges:
            - '1.2.3.4/32'
            - '5.6.7.8/32'
    asserts:
      - equal:
          path: spec.loadBalancerClass
          value: 'example.com/class'
      - equal:
          path: spec.loadBalancerIP
          value: '1.2.3.4'
      - equal:
          path: spec.loadBalancerSourceRanges
          value: ['1.2.3.4/32', '5.6.7.8/32']
  - it: does not render when loadbalancer properties are set but type is not loadBalancerClass
    template: templates/gitea/http-svc.yaml
    set:
      service:
        http:
          type: ClusterIP
          loadBalancerClass: 'example.com/class'
          loadBalancerIP: '1.2.3.4'
          loadBalancerSourceRanges:
            - '1.2.3.4/32'
            - '5.6.7.8/32'
    asserts:
      - notExists:
          path: spec.loadBalancerClass
      - notExists:
          path: spec.loadBalancerIP
      - notExists:
          path: spec.loadBalancerSourceRanges
  - it: does not render loadBalancerClass by default even when type is LoadBalancer
    template: templates/gitea/http-svc.yaml
    set:
      service:
        http:
          type: LoadBalancer
          loadBalancerIP: '1.2.3.4'
    asserts:
      - notExists:
          path: spec.loadBalancerClass
      - equal:
          path: spec.loadBalancerIP
          value: '1.2.3.4'
  - it: both ssh and http services exist
    templates:
      - templates/gitea/ssh-svc.yaml
      - templates/gitea/http-svc.yaml
    asserts:
      - matchRegex:
          path: metadata.name
          pattern: '^gitea-unittests-forgejo-(?:ssh|http)$'
      - matchRegex:
          path: spec.ports[0].name
          pattern: '^(?:ssh|http)$'
--- a/unittests/pvc/pvc-configuration.yaml
+++ b/unittests/pvc/pvc-configuration.yaml
@ -1,19 +0,0 @@
 suite: PVC template
 release:
  name: gitea-unittests
  namespace: testing
 templates:
  - templates/gitea/pvc.yaml
 tests:
  - it: Storage Class using TPL
    set:
      global.persistence.storageClass: 'storage-class'
      persistence.enabled: true
      persistence.create: true
      persistence.storageClass: '{{ .Values.global.persistence.storageClass }}'
    asserts:
      - isKind:
          of: PersistentVolumeClaim
      - equal:
          path: spec.storageClassName
          value: 'storage-class'
--- a/unittests/values-conflicting-checks.yaml
+++ b/unittests/values-conflicting-checks.yaml
@ -1,14 +0,0 @@
 suite: Values conflicting checks
 release:
  name: gitea-unittests
  namespace: testing
 tests:
  - it: fails when trying to configure redis and redis-cluster the same time
    set:
      redis-cluster:
        enabled: true
      redis:
        enabled: true
    asserts:
      - failedTemplate:
          errorMessage: redis and redis-cluster cannot be enabled at the same time. Please only choose one.
--- a/values.yaml
+++ b/values.yaml
@ -20,10 +20,6 @@ global:
  #   hostnames:
  #   - example.com
 ## @param namespaceOverride String to fully override common.names.namespace
 ##
 namespaceOverride: ''
 ## @param replicaCount number of replicas for the deployment
 replicaCount: 1
@ -101,7 +97,7 @@ podDisruptionBudget: {}
 service:
  ## @param service.http.type Kubernetes service type for web traffic
  ## @param service.http.port Port number for web traffic
-  ## @param service.http.clusterIP ClusterIP setting for http autosetup for deployment
+  ## @param service.http.clusterIP ClusterIP setting for http autosetup for deployment is None
  ## @param service.http.loadBalancerIP LoadBalancer IP setting
  ## @param service.http.nodePort NodePort for http service
  ## @param service.http.externalTrafficPolicy If `service.http.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation
@ -111,11 +107,10 @@ service:
  ## @param service.http.loadBalancerSourceRanges Source range filter for http loadbalancer
  ## @param service.http.annotations HTTP service annotations
  ## @param service.http.labels HTTP service additional labels
  ## @param service.http.loadBalancerClass Loadbalancer class
  http:
    type: ClusterIP
    port: 3000
-    clusterIP:
+    clusterIP: None
    loadBalancerIP:
    nodePort:
    externalTrafficPolicy:
@ -125,10 +120,9 @@ service:
    loadBalancerSourceRanges: []
    annotations: {}
    labels: {}
    loadBalancerClass:
  ## @param service.ssh.type Kubernetes service type for ssh traffic
  ## @param service.ssh.port Port number for ssh traffic
-  ## @param service.ssh.clusterIP ClusterIP setting for ssh autosetup for deployment
+  ## @param service.ssh.clusterIP ClusterIP setting for ssh autosetup for deployment is None
  ## @param service.ssh.loadBalancerIP LoadBalancer IP setting
  ## @param service.ssh.nodePort NodePort for ssh service
  ## @param service.ssh.externalTrafficPolicy If `service.ssh.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation
@ -139,11 +133,10 @@ service:
  ## @param service.ssh.loadBalancerSourceRanges Source range filter for ssh loadbalancer
  ## @param service.ssh.annotations SSH service annotations
  ## @param service.ssh.labels SSH service additional labels
  ## @param service.ssh.loadBalancerClass Loadbalancer class
  ssh:
    type: ClusterIP
    port: 22
-    clusterIP:
+    clusterIP: None
    loadBalancerIP:
    nodePort:
    externalTrafficPolicy:
@ -154,7 +147,6 @@ service:
    loadBalancerSourceRanges: []
    annotations: {}
    labels: {}
    loadBalancerClass:
 ## @section Ingress
 ## @param ingress.enabled Enable ingress
@ -164,6 +156,7 @@ service:
 ## @param ingress.hosts[0].paths[0].path Default Ingress path
 ## @param ingress.hosts[0].paths[0].pathType Ingress path type
 ## @param ingress.tls Ingress tls settings
 ## @extra ingress.apiVersion Specify APIVersion of ingress object. Mostly would only be used for argocd.
 ingress:
  enabled: false
  # className: nginx
@ -181,48 +174,9 @@ ingress:
  #  - secretName: chart-example-tls
  #    hosts:
  #      - git.example.com
-
+  # Mostly for argocd or any other CI that uses `helm template | kubectl apply` or similar
-## @section Route
+  # If helm doesn't correctly detect your ingress API version you can set it here.
-## @param route.enabled Enable route
+  # apiVersion: networking.k8s.io/v1
 ## @param route.annotations Route annotations
 ## @param route.host Host to use for the route (will be assigned automatically by OKD / OpenShift is not defined)
 ## @param route.wildcardPolicy Wildcard policy if any for the route, currently only 'Subdomain' or 'None' is allowed.
 ## @param route.tls.termination termination type (see [OKD documentation](https://docs.okd.io/latest/rest_api/network_apis/route-route-openshift-io-v1.html#spec-tls))
 ## @param route.tls.insecureEdgeTerminationPolicy the desired behavior for insecure connections to a route (e.g. with http)
 ## @param route.tls.existingSecret the name of a predefined secret of type kubernetes.io/tls with both key (tls.crt and tls.key) set accordingly (if defined attributes 'certificate', 'caCertificate' and 'privateKey' are ignored)
 ## @param route.tls.certificate PEM encoded single certificate
 ## @param route.tls.privateKey PEM encoded private key
 ## @param route.tls.caCertificate PEM encoded CA certificate or chain that issued the certificate
 ## @param route.tls.destinationCACertificate PEM encoded CA certificate used to verify the authenticity of final end point when 'termination' is set to 'passthrough' (ignored otherwise)
 route:
  enabled: false
  annotations: {}
  host:
  wildcardPolicy:
  tls:
    termination: edge
    insecureEdgeTerminationPolicy: Redirect
    existingSecret:
    certificate:
    # certificate: |-
    # -----BEGIN CERTIFICATE-----
    # ...
    # -----END CERTIFICATE-----
    privateKey:
    # privateKey: |-
    # -----BEGIN PRIVATE KEY-----
    # ...
    # -----END PRIVATE KEY-----
    caCertificate:
    # caCertificate: |-
    # -----BEGIN CERTIFICATE-----
    # ...
    # -----END CERTIFICATE-----
    destinationCACertificate:
    # destinationCACertificate: |-
    # -----BEGIN CERTIFICATE-----
    # ...
    # -----END CERTIFICATE-----
 ## @section deployment
 #
@ -369,7 +323,7 @@ initContainers:
 #
 ## @param signing.enabled Enable commit/action signing
 ## @param signing.gpgHome GPG home directory
-## @param signing.privateKey Inline private GPG key for signed internal Git activity
+## @param signing.privateKey Inline private gpg key for signed internal Git activity
 ## @param signing.existingSecret Use an existing secret to store the value of `signing.privateKey`
 signing:
  enabled: false
@ -388,23 +342,19 @@ gitea:
  ## @param gitea.admin.existingSecret Use an existing secret to store admin user credentials
  ## @param gitea.admin.password Password for the Forgejo admin user
  ## @param gitea.admin.email Email for the Forgejo admin user
  ## @param gitea.admin.passwordMode Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated
  admin:
    # existingSecret: gitea-admin-secret
    existingSecret:
    username: gitea_admin
    password: r8sA8CPHD9!bt6d
    email: 'gitea@local.domain'
    passwordMode: keepUpdated
  ## @param gitea.metrics.enabled Enable Forgejo metrics
  ## @param gitea.metrics.serviceMonitor.enabled Enable Forgejo metrics service monitor
  ## @param gitea.metrics.serviceMonitor.namespace Namespace in which Prometheus is running
  metrics:
    enabled: false
    serviceMonitor:
      enabled: false
      namespace: ''
      #  additionalLabels:
      #    prometheus-release: prom1
@ -460,10 +410,12 @@ gitea:
  ## @section `app.ini` overrides
  ## @descriptionStart
  ##
  ## Every value described in the [Cheat
  ## Sheet](https://forgejo.org/docs/latest/admin/config-cheat-sheet/) can be
  ## set as a Helm value. Configuration sections map to (lowercased) YAML
  ## blocks, while the keys themselves remain in all caps.
  ##
  ## @descriptionEnd
  config:
    # values in the DEFAULT section
@ -633,8 +585,7 @@ gitea:
  ## @section ReadinessProbe
  #
  ## @param gitea.readinessProbe.enabled Enable readiness probe
-  ## @param gitea.readinessProbe.httpGet.path Path to probe for readiness
+  ## @param gitea.readinessProbe.tcpSocket.port Port to probe for readiness
  ## @param gitea.readinessProbe.httpGet.port Port to probe for readiness
  ## @param gitea.readinessProbe.initialDelaySeconds Initial delay before readiness probe is initiated
  ## @param gitea.readinessProbe.timeoutSeconds Timeout for readiness probe
  ## @param gitea.readinessProbe.periodSeconds Period for readiness probe
@ -643,8 +594,7 @@ gitea:
  # Modify the readiness probe for your needs or completely disable it by commenting out.
  readinessProbe:
    enabled: true
-    httpGet:
+    tcpSocket:
      path: /api/healthz
      port: http
    initialDelaySeconds: 5
    timeoutSeconds: 1
@ -675,11 +625,10 @@ gitea:
 ## @section Redis&reg; Cluster
 ## @descriptionStart
 ## Redis&reg; Cluster is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/redis-cluster) if enabled in the values.
-## Full configuration options are available on their website.
+## Complete Configuration can be taken from their website.
 ## Redis cluster and [Redis](#redis) cannot be enabled at the same time.
 ## @descriptionEnd
 #
-## @param redis-cluster.enabled Enable redis cluster
+## @param redis-cluster.enabled Enable redis
 ## @param redis-cluster.usePassword Whether to use password authentication
 ## @param redis-cluster.cluster.nodes Number of redis cluster master nodes
 ## @param redis-cluster.cluster.replicas Number of redis cluster master node replicas
@ -690,30 +639,10 @@ redis-cluster:
    nodes: 3 # default: 6
    replicas: 0 # default: 1
 ## @section Redis&reg;
 ## @descriptionStart
 ## Redis&reg; is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/redis) if enabled in the values.
 ## Full configuration options are available on their website.
 ## Redis and [Redis cluster](#redis-cluster) cannot be enabled at the same time.
 ## @descriptionEnd
 #
 ## @param redis.enabled Enable redis standalone or replicated
 ## @param redis.architecture Whether to use standalone or replication
 ## @param redis.global.redis.password Required password
 ## @param redis.master.count Number of Redis master instances to deploy
 redis:
  enabled: false
  architecture: standalone
  global:
    redis:
      password: changeme
  master:
    count: 1
 ## @section PostgreSQL HA
 ## @descriptionStart
 ## PostgreSQL HA is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/postgresql-ha) if enabled in the values.
-## Full configuration options are available on their website.
+## Complete Configuration can be taken from their website.
 ## @descriptionEnd
 #
 ## @param postgresql-ha.enabled Enable PostgreSQL HA chart
@ -749,7 +678,7 @@ postgresql-ha:
 ## @section PostgreSQL
 ## @descriptionStart
 ## PostgreSQL is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) if enabled in the values.
-## Full configuration options are available on their website.
+## Complete Configuration can be taken from their website.
 ## @descriptionEnd
 #
 ## @param postgresql.enabled Enable PostgreSQL
@ -776,8 +705,8 @@ postgresql:
 # By default, removed or moved settings that still remain in a user defined values.yaml will cause Helm to fail running the install/update.
 # Set it to false to skip this basic validation check.
 ## @section Advanced
-## @param checkDeprecation Whether to run this basic validation check.
+## @param checkDeprecation Set it to false to skip this basic validation check.
-## @param test.enabled Whether to use test-connection Pod.
+## @param test.enabled Set it to false to disable test-connection Pod.
 ## @param test.image.name Image name for the wget container used in the test-connection Pod.
 ## @param test.image.tag Image tag for the wget container used in the test-connection Pod.
 checkDeprecation: true
@ -787,6 +716,6 @@ test:
    name: busybox
    tag: latest
-## @param extraDeploy Array of extra objects to deploy with the release.
+## @param extraDeploy Array of extra objects to deploy with the release
 ##
 extraDeploy: []
Author	SHA1	Message	Date
Renovate Bot	28999e0d8d	fix(deps): update forgejo docker tag to v7.0.7 (maint/v7) (#722 ) Reviewed-on: https://code.forgejo.org/forgejo-helm/forgejo-helm/pulls/722 Co-authored-by: Renovate Bot <bot@kriese.eu> Co-committed-by: Renovate Bot <bot@kriese.eu>	2024-08-09 14:43:12 +00:00
Renovate Bot	8591515c01	ci(forgejo): update experimental docker digests (maint/v7) (#720 ) Co-authored-by: Renovate Bot <bot@kriese.eu> Co-committed-by: Renovate Bot <bot@kriese.eu>	2024-08-09 02:17:15 +00:00
Renovate Bot	75145081a4	ci(forgejo): update codeberg.org/forgejo-experimental/forgejo:9.0-test docker digest to 4ce089a (maint/v7) (#718 ) Co-authored-by: Renovate Bot <bot@kriese.eu> Co-committed-by: Renovate Bot <bot@kriese.eu>	2024-08-09 01:12:38 +00:00
Renovate Bot	0c316d198a	ci(forgejo): update experimental docker digests (maint/v7) (#715 ) Co-authored-by: Renovate Bot <bot@kriese.eu> Co-committed-by: Renovate Bot <bot@kriese.eu>	2024-08-08 01:11:51 +00:00
Renovate Bot	80a37cf7aa	chore(deps): update pnpm to v9.7.0 (maint/v7) (#713 ) Co-authored-by: Renovate Bot <bot@kriese.eu> Co-committed-by: Renovate Bot <bot@kriese.eu>	2024-08-07 02:44:00 +00:00
Renovate Bot	02e09286a8	ci(forgejo): update experimental docker digests (maint/v7) (#712 ) Co-authored-by: Renovate Bot <bot@kriese.eu> Co-committed-by: Renovate Bot <bot@kriese.eu>	2024-08-07 02:08:46 +00:00
Renovate Bot	8a8a865164	ci(forgejo): update codeberg.org/forgejo-experimental/forgejo:8.0-test docker digest to 33a7fc5 (maint/v7) (#709 ) Co-authored-by: Renovate Bot <bot@kriese.eu> Co-committed-by: Renovate Bot <bot@kriese.eu>	2024-08-06 02:11:43 +00:00
Renovate Bot	f12985da36	ci(forgejo): update experimental docker digests (maint/v7) (#707 ) Co-authored-by: Renovate Bot <bot@kriese.eu> Co-committed-by: Renovate Bot <bot@kriese.eu>	2024-08-06 01:43:03 +00:00
Renovate Bot	c1bbd577eb	ci(forgejo): update experimental docker digests (maint/v7) (#704 ) Co-authored-by: Renovate Bot <bot@kriese.eu> Co-committed-by: Renovate Bot <bot@kriese.eu>	2024-08-05 01:41:07 +00:00
Renovate Bot	0fe0cc497e	ci(forgejo): update codeberg.org/forgejo-experimental/forgejo:9.0-test docker digest to 1e6e081 (maint/v7) (#702 ) Co-authored-by: Renovate Bot <bot@kriese.eu> Co-committed-by: Renovate Bot <bot@kriese.eu>	2024-08-05 00:12:37 +00:00
Renovate Bot	b580361bf3	chore(deps): update dependency lint-staged to v15.2.8 (maint/v7) (#700 ) Co-authored-by: Renovate Bot <bot@kriese.eu> Co-committed-by: Renovate Bot <bot@kriese.eu>	2024-08-03 07:11:42 +00:00
Renovate Bot	8d0340c31b	ci(forgejo): update codeberg.org/forgejo-experimental/forgejo:9.0-test docker digest to 4659b8b (maint/v7) (#698 ) Co-authored-by: Renovate Bot <bot@kriese.eu> Co-committed-by: Renovate Bot <bot@kriese.eu>	2024-08-03 01:41:24 +00:00
Renovate Bot	95898ae0b2	ci(forgejo): update experimental docker digests (maint/v7) (#696 ) Co-authored-by: Renovate Bot <bot@kriese.eu> Co-committed-by: Renovate Bot <bot@kriese.eu>	2024-08-02 01:11:28 +00:00
Renovate Bot	d707ed3ae1	fix(deps): update subcharts (maint/v7) (#694 ) Co-authored-by: Renovate Bot <bot@kriese.eu> Co-committed-by: Renovate Bot <bot@kriese.eu>	2024-08-02 00:16:39 +00:00
Renovate Bot	ea1c7e8f5c	ci(forgejo): update experimental docker digests (maint/v7) (#692 ) Co-authored-by: Renovate Bot <bot@kriese.eu> Co-committed-by: Renovate Bot <bot@kriese.eu>	2024-08-01 01:17:56 +00:00
Renovate Bot	19f5a775e6	ci(forgejo): update codeberg.org/forgejo-experimental/forgejo:9.0-test docker digest to 2c7315f (maint/v7) (#690 ) Co-authored-by: Renovate Bot <bot@kriese.eu> Co-committed-by: Renovate Bot <bot@kriese.eu>	2024-08-01 00:13:08 +00:00