chore(deps): update pnpm to v10.7.0 (main) (#1168)

Reviewed-on: https://code.forgejo.org/forgejo-helm/forgejo-helm/pulls/1168
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>

.forgejo/actions/setup-k3s/action.yml

@@ -0,0 +1,25 @@
+# action.yml
+name: setup-k3s
+description: 'setup k3s'
+
+inputs:
+  version:
+    description: 'k3s version'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - shell: bash
+      name: install k3s
+      run: |
+        curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=${INPUT_VERSION} K3S_KUBECONFIG_MODE=640 sh -s - server
+        echo "KUBECONFIG=/etc/rancher/k3s/k3s.yaml" >> $GITHUB_ENV
+    - shell: bash
+      name: check k3s
+      run: kubectl cluster-info
+    - shell: bash
+      name: wait for nodes ready
+      run: |
+        sleep 3
+        kubectl wait --for=condition=Ready nodes --all --timeout=600s

.forgejo/actions/setup-node/action.yml

@@ -5,11 +5,15 @@ description: 'setup node'
 runs:
   using: 'composite'
   steps:
-    - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+    - name: Setup pnpm
+      uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
+      with:
+        standalone: true
+
+    - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
       with:
         node-version-file: .node-version
-        # cache: 'npm'
-    - shell: bash
-      run: corepack enable
+        cache: 'pnpm'
+
     - shell: bash
       run: pnpm install --frozen-lockfile

.forgejo/renovate/k3s.json

@@ -0,0 +1,57 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "packageRules": [
+    {
+      "description": "Separate minor and patch updates for k3s",
+      "matchDatasources": ["github-releases"],
+      "matchPackageNames": ["k3s-io/k3s"],
+      "separateMultipleMinor": true,
+      "separateMinorPatch": true,
+      "branchTopic": "{{{depNameSanitized}}}{{#if isMinor}}-minor{{/if}}-{{{newMajor}}}{{#if isPatch}}.{{{newMinor}}}{{/if}}.x{{#if isLockfileUpdate}}-lockfile{{/if}}",
+      "commitMessageSuffix": "{{#if isMinor}}(minor){{/if}}{{#if isPatch}}(patch){{/if}}"
+    },
+    {
+      "description": "No automerge for k3s major and minor updates",
+      "matchDatasources": ["github-releases"],
+      "matchPackageNames": ["k3s-io/k3s"],
+      "matchUpdateTypes": ["major", "minor"],
+      "automerge": false
+    },
+    {
+      "description": "Group k3s patch updates",
+      "matchDatasources": ["github-releases"],
+      "matchPackageNames": ["k3s-io/k3s"],
+      "matchUpdateTypes": ["patch"],
+      "groupName": "k3s"
+    },
+    {
+      "description": "Disable k3s major and minor updates for old versions",
+      "matchDatasources": ["github-releases"],
+      "matchFileNames": [".forgejo/workflows/**"],
+      "matchPackageNames": ["k3s-io/k3s"],
+      "matchUpdateTypes": ["major", "minor"],
+      "matchCurrentValue": "!/^v1.32/",
+      "enabled": false
+    }
+  ],
+  "customDatasources": {
+    "k3s": {
+      "defaultRegistryUrlTemplate": "https://update.k3s.io/v1-release/channels",
+      "transformTemplates": [
+        "($isVersion:=function($name){$contains($name,/^v\\d+.\\d+$/)};{\"releases\":[data[$isVersion(name)].{\"version\":latest}],\"sourceUrl\":\"https://github.com/k3s-io/k3s\",\"homepage\":\"https://k3s.io/\"})"
+      ]
+    }
+  },
+  "customManagers": [
+    {
+      "customType": "regex",
+      "fileMatch": [".forgejo/renovate/k3s.json"],
+      "matchStrings": [
+        "matchCurrentValue\": \"!\\/^v(?<currentValue>\\d+\\.\\d+)\\/"
+      ],
+      "depNameTemplate": "k3s",
+      "versioningTemplate": "npm",
+      "datasourceTemplate": "custom.k3s"
+    }
+  ]
+}

.forgejo/workflows/build.yml

@@ -8,16 +8,17 @@ on:
       - maint/**
     tags:
       - v*
+  workflow_dispatch:
 
 permissions:
   contents: read
 
 env:
-  HELM_VERSION: v3.15.3 # renovate: datasource=github-releases depName=helm packageName=helm/helm
-  HELM_UNITTEST_VERSION: v0.5.2 # renovate: datasource=github-releases depName=helm-unittest packageName=helm-unittest/helm-unittest
-  HELM_CHART_TESTING_VERSION: v3.11.0 # renovate: datasource=github-releases depName=chart-testing packageName=helm/chart-testing
-  KIND_VERSION: v0.23.0 # renovate: datasource=github-releases depName=kind packageName=kubernetes-sigs/kind
-  KUBECTL_VERSION: v1.30.3 # renovate: datasource=github-releases depName=kubectl packageName=kubernetes/kubernetes
+  HELM_VERSION: v3.17.2 # renovate: datasource=github-releases depName=helm packageName=helm/helm
+  HELM_UNITTEST_VERSION: v0.7.2 # renovate: datasource=github-releases depName=helm-unittest packageName=helm-unittest/helm-unittest
+  HELM_CHART_TESTING_VERSION: v3.12.0 # renovate: datasource=github-releases depName=chart-testing packageName=helm/chart-testing
+  KUBECTL_VERSION: v1.32.3 # renovate: datasource=github-releases depName=kubectl packageName=kubernetes/kubernetes
+  CT_GITHUB_GROUPS: true
 
 jobs:
   lint-node:
@@ -25,9 +26,11 @@ jobs:
     steps:
       - run: cat /etc/os-release
 
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           show-progress: false
+          fetch-depth: 0 # Important for changelog
+          filter: blob:none # We don't need all blobs
 
       - uses: ./.forgejo/actions/setup
       - uses: ./.forgejo/actions/setup-node
@@ -37,6 +40,10 @@ jobs:
       - run: make readme
       - run: git diff --exit-code --name-only README.md
 
+      - name: changelog
+        run: |
+          pnpm changelog ${{ github.ref_type == 'tag' && 'true' || '' }}
+
   lint-helm:
     runs-on: docker
     steps:
@@ -44,7 +51,7 @@ jobs:
 
       - run: ps axf
 
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           show-progress: false
           fetch-depth: 0
@@ -53,12 +60,12 @@ jobs:
       - uses: ./.forgejo/actions/setup
 
       - name: install chart-testing
-        uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
         with:
           version: ${{ env.HELM_CHART_TESTING_VERSION }}
 
       - name: install helm
-        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
         with:
           version: ${{ env.HELM_VERSION }}
 
@@ -74,21 +81,27 @@ jobs:
       - run: ct lint --config tools/ct.yml --charts .
 
   e2e:
+    needs:
+      - lint-node
+      - lint-helm
     runs-on: k8s
 
     strategy:
       matrix:
-        k8s:
-          # from https://hub.docker.com/r/kindest/node/tags
-          - v1.27.13 # renovate: kindest
-          - v1.28.9 # renovate: kindest
-          - v1.29.4 # renovate: kindest
-          - v1.30.2 # renovate: kindest
+        k3s:
+          # https://github.com/k3s-io/k3s/branches
+          # oldest supported version
+          - v1.28.15+k3s1 # renovate: k3s
+          # https://github.com/k3s-io/k3s/blob/master/channel.yaml#L3-L4
+          # stable version
+          - v1.31.6+k3s1 # renovate: k3s
+          # newest version
+          - v1.32.2+k3s1 # renovate: k3s
 
     steps:
       - run: cat /etc/os-release
 
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           show-progress: false
           fetch-depth: 0
@@ -97,34 +110,28 @@ jobs:
       - uses: ./.forgejo/actions/setup
 
       - name: install helm
-        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
         with:
           version: ${{ env.HELM_VERSION }}
 
       - name: Install chart-testing
-        # TODO: pin to version when this is released: https://github.com/helm/chart-testing-action/pull/137
-        uses: helm/chart-testing-action@5aa1c68405a43a57240a9b2869379324b2bec0fc # main
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
         with:
           version: ${{ env.HELM_CHART_TESTING_VERSION }}
 
-      - uses: ./.forgejo/actions/setup-docker
-
-      - name: Create kind cluster
-        uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
+      - uses: ./.forgejo/actions/setup-k3s
         with:
-          node_image: kindest/node:${{ matrix.k8s }}
-          kubectl_version: ${{ env.KUBECTL_VERSION }}
-          version: ${{ env.KIND_VERSION }}
+          version: ${{ matrix.k3s }}
 
       - run: kubectl get no -o wide
 
       - name: install chart
-        uses: https://github.com/nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
+        uses: https://github.com/nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
         with:
           timeout_minutes: 15
           max_attempts: 3
           retry_on: error
-          retry_wait_seconds: 60
+          retry_wait_seconds: 120
           polling_interval_seconds: 5
           command: ct install --config tools/ct.yml --charts .
 
@@ -162,7 +169,7 @@ jobs:
     if: ${{ github.ref_type == 'tag' }}
 
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           show-progress: false
           fetch-depth: 0 # Important for changelog
@@ -172,7 +179,7 @@ jobs:
       - uses: ./.forgejo/actions/setup-node
 
       - name: install helm
-        uses: https://github.com/azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+        uses: https://github.com/azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
         with:
           version: ${{ env.HELM_VERSION }}
 

.forgejo/workflows/mirror.yml

@@ -6,6 +6,8 @@ on:
     branches:
       - 'main'
 
+  workflow_dispatch:
+
 jobs:
   mirror:
     runs-on: docker

.node-version

@@ -1 +1 @@
-20.16.0
+22.14.0

.vscode/settings.json

@@ -4,7 +4,7 @@
       ".github/workflows/*",
       ".forgejo/workflows/*"
     ],
-    "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.5.2/schema/helm-testsuite.json": [
+    "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.7.2/schema/helm-testsuite.json": [
       "/unittests/**/*.yaml"
     ]
   },

Chart.lock

@@ -1,12 +1,18 @@
 dependencies:
+- name: common
+  repository: oci://ghcr.io/visualon/bitnamicharts
+  version: 2.30.0
 - name: postgresql
-  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 15.5.20
+  repository: oci://ghcr.io/visualon/bitnamicharts
+  version: 16.5.6
 - name: postgresql-ha
-  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 14.2.14
+  repository: oci://ghcr.io/visualon/bitnamicharts
+  version: 15.3.8
 - name: redis-cluster
-  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 10.2.9
-digest: sha256:1e9d1de99e188fbd7c3eb3305a9ff6e0428313b181b83b9dea1051e5b134de1b
-generated: "2024-07-25T12:30:38.908174676Z"
+  repository: oci://ghcr.io/visualon/bitnamicharts
+  version: 11.4.6
+- name: redis
+  repository: oci://ghcr.io/visualon/bitnamicharts
+  version: 20.11.4
+digest: sha256:a9c9f0779663336dd22ca4896f22bb64427e28f20aa567aee2f18474f8e31a23
+generated: "2025-03-26T15:31:33.532188569Z"

Chart.yaml

@@ -3,7 +3,7 @@ name: forgejo
 description: Forgejo Helm chart for Kubernetes
 type: application
 version: 0.0.0
-appVersion: 7.0.6
+appVersion: 10.0.3
 icon: https://code.forgejo.org/forgejo/forgejo/raw/branch/forgejo/assets/logo.svg
 home: https://forgejo.org/
 
@@ -22,22 +22,35 @@ maintainers:
   - name: Michael Kriese
     email: michael.kriese@visualon.de
 
-# Bitnami charts are served from Docker Hub
+# Bitnami charts are served from ghcr mirror because of rate limiting on Docker Hub
 # https://hub.docker.com/u/bitnamicharts
 # https://blog.bitnami.com/2023/01/bitnami-helm-charts-available-as-oci.html
+# https://github.com/bitnami/charts/issues/30853
+# https://code.forgejo.org/forgejo-helm/forgejo-helm/issues/1045
 dependencies:
+  # https://github.com/bitnami/charts/blob/main/bitnami/common/Chart.yaml
+  - name: common
+    repository: oci://ghcr.io/visualon/bitnamicharts
+    tags:
+      - bitnami-common
+    version: 2.30.0
   # https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml
   - name: postgresql
-    repository: oci://registry-1.docker.io/bitnamicharts
-    version: 15.5.20
+    repository: oci://ghcr.io/visualon/bitnamicharts
+    version: 16.5.6
     condition: postgresql.enabled
   # https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml
   - name: postgresql-ha
-    repository: oci://registry-1.docker.io/bitnamicharts
-    version: 14.2.14
+    repository: oci://ghcr.io/visualon/bitnamicharts
+    version: 15.3.8
     condition: postgresql-ha.enabled
   # https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml
   - name: redis-cluster
-    repository: oci://registry-1.docker.io/bitnamicharts
-    version: 10.2.9
+    repository: oci://ghcr.io/visualon/bitnamicharts
+    version: 11.4.6
     condition: redis-cluster.enabled
+  # https://github.com/bitnami/charts/blob/main/bitnami/redis/Chart.yaml
+  - name: redis
+    repository: oci://ghcr.io/visualon/bitnamicharts
+    version: 20.11.4
+    condition: redis.enabled

LICENSE

@@ -1,5 +1,6 @@
 MIT License
 
+Copyright (c) 2023 The Forgejo Authors
 Copyright (c) 2020 The Gitea Authors
 Copyright (c) 2020 NOVUM-RGI
 Copyright (c) 2019 - 2020 Charlie Drage

Makefile

@@ -9,7 +9,7 @@ readme: prepare-environment
 
 .PHONY: unittests
 unittests:
-	helm unittest --strict -f 'unittests/**/*.yaml' -f 'unittests/dependency-major-image-check.yaml' ./
+	helm unittest --strict -f 'unittests/**/*.yaml' ./
 
 .PHONY: helm
 update-helm-dependencies:

README.md

@@ -20,7 +20,6 @@
     - [User defined environment variables in app.ini](#user-defined-environment-variables-in-appini)
   - [External Database](#external-database)
   - [Ports and external url](#ports-and-external-url)
-  - [ClusterIP](#clusterip)
   - [SSH and Ingress](#ssh-and-ingress)
   - [SSH on crio based kubernetes cluster](#ssh-on-crio-based-kubernetes-cluster)
   - [Cache](#cache)
@@ -46,15 +45,23 @@
   - [Init](#init)
   - [Signing](#signing)
   - [Gitea](#gitea)
+  - [`app.ini` overrides](#appini-overrides)
   - [LivenessProbe](#livenessprobe)
   - [ReadinessProbe](#readinessprobe)
   - [StartupProbe](#startupprobe)
-  - [redis-cluster](#redis-cluster)
+  - [Redis® Cluster](#redis-cluster)
+  - [Redis®](#redis)
   - [PostgreSQL HA](#postgresql-ha)
   - [PostgreSQL](#postgresql)
   - [Advanced](#advanced)
 - [Contributing](#contributing)
 - [Upgrading](#upgrading)
+  - [To v11](#to-v11)
+  - [To v10](#to-v10)
+  - [To v9](#to-v9)
+  - [To v8](#to-v8)
+  - [To v7](#to-v7)
+  - [To v6](#to-v6)
 
 [Forgejo](https://forgejo.org/) is a community managed lightweight code hosting solution written in Go.
 It is published under the MIT license.
@@ -94,7 +101,8 @@ These dependencies are enabled by default:
 
 Alternatively, the following non-HA replacements are available:
 
-- PostgreSQL ([Bitnami PostgreSQL](<postgresql](https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml)>))
+- PostgreSQL ([Bitnami PostgreSQL](https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml))
+- Redis ([Bitnami Redis](https://github.com/bitnami/charts/blob/main/bitnami/redis/Chart.yaml))
 
 ### Dependency Versioning
 
@@ -113,6 +121,7 @@ Please double-check the image repository and available tags in the sub-chart:
 - [PostgreSQL-HA](https://hub.docker.com/r/bitnami/postgresql-repmgr/tags)
 - [PostgreSQL](https://hub.docker.com/r/bitnami/postgresql/tags)
 - [Redis Cluster](https://hub.docker.com/r/bitnami/redis-cluster/tags)
+- [Redis](https://hub.docker.com/r/bitnami/redis/tags)
 
 and look up the image tag which fits your needs on Dockerhub.
 
@@ -167,14 +176,14 @@ gitea:
 This chart will set a few defaults in the Forgejo configuration based on the service and ingress settings.
 All defaults can be overwritten in `gitea.config`.
 
-INSTALL_LOCK is always set to true, since we want to configure Forgejo with this helm chart and everything is taken care of.
+INSTALL_LOCK is always set to true because the configuration in this helm chart makes any configuration via installer superfluous.
 
 _All default settings are made directly in the generated `app.ini`, not in the Values._
 
 #### Database defaults
 
-If a builtIn database is enabled the database configuration is set automatically.
-For example, PostgreSQL builtIn will appear in the `app.ini` as:
+If a database subchart is enabled, the database configuration is set automatically.
+For example, PostgreSQL will appear in the `app.ini` as:
 
 ```ini
 [database]
@@ -247,7 +256,7 @@ External tools such as `redis-cluster` or `memcached` handle these workloads muc
 
 If HA is not needed/desired, the following configurations can be used to deploy a single-pod Forgejo instance.
 
-1. For a production-ready single-pod Forgejo instance without external dependencies (using the chart dependency `postgresql`):
+1. For a production-ready single-pod Forgejo instance without external dependencies (using the chart dependency `postgresql` and `redis`):
 
    <details>
 
@@ -256,6 +265,8 @@ If HA is not needed/desired, the following configurations can be used to deploy
    ```yaml
    redis-cluster:
      enabled: false
+   redis:
+     enabled: true
    postgresql:
      enabled: true
    postgresql-ha:
@@ -268,12 +279,6 @@ If HA is not needed/desired, the following configurations can be used to deploy
      config:
        database:
          DB_TYPE: postgres
-       session:
-         PROVIDER: db
-       cache:
-         ADAPTER: memory
-       queue:
-         TYPE: level
        indexer:
          ISSUE_INDEXER_TYPE: bleve
          REPO_INDEXER_ENABLED: true
@@ -293,6 +298,8 @@ If HA is not needed/desired, the following configurations can be used to deploy
    ```yaml
    redis-cluster:
      enabled: false
+   redis:
+     enabled: false
    postgresql:
      enabled: false
    postgresql-ha:
@@ -442,23 +449,6 @@ This helm chart automatically configures the clone urls to use the correct ports
 You can change these ports by hand using the `gitea.config` dict.
 However you should know what you're doing.
 
-### ClusterIP
-
-By default the `clusterIP` will be set to `None`, which is the default for headless services.
-However if you want to omit the clusterIP field in the service, use the following values:
-
-```yaml
-service:
-  http:
-    type: ClusterIP
-    port: 3000
-    clusterIP:
-  ssh:
-    type: ClusterIP
-    port: 22
-    clusterIP:
-```
-
 ### SSH and Ingress
 
 If you're using ingress and want to use SSH, keep in mind, that ingress is not able to forward SSH Ports.
@@ -468,7 +458,7 @@ You will need a LoadBalancer like `metallb` and a setting in your ssh service an
 service:
   ssh:
     annotations:
-      metallb.universe.tf/allow-shared-ip: test
+      metallb.io/allow-shared-ip: test
 ```
 
 ### SSH on crio based kubernetes cluster
@@ -541,8 +531,6 @@ postgresql:
 
 This chart enables you to create a default admin user.
 It is also possible to update the password for this user by upgrading or redeploying the chart.
-It is not possible to delete an admin user after it has been created.
-This has to be done in the ui.
 You cannot use `admin` as username.
 
 ```yaml
@@ -572,6 +560,22 @@ gitea:
     existingSecret: gitea-admin-secret
 ```
 
+To delete the admin user, set `username` or `password` to an empty value and delete the user in the UI.
+
+Whether you use the existing Secret or specify a username and password directly, there are three modes for how the admin user password is created or set.
+
+- `keepUpdated` (the default) will set the admin user password, and reset it to the defined value every time the pod is recreated.
+- `initialOnlyNoReset` will set the admin user password when creating it, but never try to update the password.
+- `initialOnlyRequireReset` will set the admin user password when creating it, never update it, and require that the password be changed at the initial login.
+
+These modes can be set like the following:
+
+```yaml
+gitea:
+  admin:
+    passwordMode: initialOnlyRequireReset
+```
+
 ### LDAP Settings
 
 Like the admin user the LDAP settings can be updated.
@@ -629,7 +633,7 @@ Affected options:
 
 Like the admin user, OAuth2 settings can be updated and disabled but not deleted.
 Deleting OAuth2 settings has to be done in the UI.
-All OAuth2 values, which are documented [here](https://forgejo.org/docs/latest/admin/command-line/#admin), are available.
+[All OAuth2 values](https://forgejo.org/docs/latest/admin/command-line/#admin-auth-add-oauth) are available.
 
 Multiple OAuth2 sources can be configured with additional OAuth list items.
 
@@ -668,14 +672,29 @@ gitea:
       existingSecret: gitea-oauth-secret
 ```
 
+### Compatibility with OCP (OKD or OpenShift)
+
+Normally OCP is automatically detected and the compatibility mode set accordingly. To enforce the OCP compatibility mode use the following configuration:
+
+```yaml
+global:
+  compatibility:
+    openshift:
+      adaptSecurityContext: force
+```
+
+An OCP route to access Forgejo can be enabled with the following config:
+
+```yaml
+route:
+  enabled: true
+```
+
 ## Configure commit signing
 
-When using the rootless image the gpg key folder is not persistent by default.
-If you consider using signed commits for internal Forgejo activities (e.g. initial commit), you'd need to provide a signing key.
-Prior to [PR186](https://gitea.com/gitea/helm-chart/pulls/186), imported keys had to be re-imported once the container got replaced by another.
-
-The mentioned PR introduced a new configuration object `signing` allowing you to configure prerequisites for commit signing.
-By default this section is disabled to maintain backwards compatibility.
+When using the rootless image, the GPG key folder is not persistent by default.
+If you want commits by Forgejo (e.g. initial commit) to be signed,
+you need to provide a signing key:
 
 ```yaml
 signing:
@@ -683,8 +702,10 @@ signing:
   gpgHome: /data/git/.gnupg
 ```
 
-Regardless of the used container image the `signing` object allows to specify a private gpg key.
-Either using the `signing.privateKey` to define the key inline, or refer to an existing secret containing the key data by using `signing.existingSecret`.
+By default this section is disabled to maintain backwards compatibility.
+
+Regardless of the used container image the `signing` object allows to specify a private GPG key.
+Either using the `signing.privateKey` to define the key inline, or referring to an existing secret containing the key data with `signing.existingSecret`.
 
 ```yaml
 apiVersion: v1
@@ -704,7 +725,7 @@ signing:
   existingSecret: custom-gitea-gpg-key
 ```
 
-To use the gpg key, Forgejo needs to be configured accordingly.
+To use the GPG key, Forgejo needs to be configured accordingly.
 A detailed description can be found in the [documentation](https://forgejo.org/docs/latest/admin/signing/#general-configuration).
 
 ## Metrics and profiling
@@ -843,6 +864,7 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus
 | `global.imagePullSecrets` | global image pull secrets override; can be extended by `imagePullSecrets` | `[]`  |
 | `global.storageClass`     | global storage class override                                             | `""`  |
 | `global.hostAliases`      | global hostAliases which will be added to the pod's hosts files           | `[]`  |
+| `namespaceOverride`       | String to fully override common.names.namespace                           | `""`  |
 | `replicaCount`            | number of replicas for the deployment                                     | `1`   |
 
 ### strategy
@@ -882,7 +904,7 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus
 | --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
 | `service.http.type`                     | Kubernetes service type for web traffic                                                                                                                                                              | `ClusterIP` |
 | `service.http.port`                     | Port number for web traffic                                                                                                                                                                          | `3000`      |
-| `service.http.clusterIP`                | ClusterIP setting for http autosetup for deployment is None                                                                                                                                          | `None`      |
+| `service.http.clusterIP`                | ClusterIP setting for http autosetup for deployment                                                                                                                                                  | `nil`       |
 | `service.http.loadBalancerIP`           | LoadBalancer IP setting                                                                                                                                                                              | `nil`       |
 | `service.http.nodePort`                 | NodePort for http service                                                                                                                                                                            | `nil`       |
 | `service.http.externalTrafficPolicy`    | If `service.http.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation                                                                                         | `nil`       |
@@ -892,9 +914,10 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus
 | `service.http.loadBalancerSourceRanges` | Source range filter for http loadbalancer                                                                                                                                                            | `[]`        |
 | `service.http.annotations`              | HTTP service annotations                                                                                                                                                                             | `{}`        |
 | `service.http.labels`                   | HTTP service additional labels                                                                                                                                                                       | `{}`        |
+| `service.http.loadBalancerClass`        | Loadbalancer class                                                                                                                                                                                   | `nil`       |
 | `service.ssh.type`                      | Kubernetes service type for ssh traffic                                                                                                                                                              | `ClusterIP` |
 | `service.ssh.port`                      | Port number for ssh traffic                                                                                                                                                                          | `22`        |
-| `service.ssh.clusterIP`                 | ClusterIP setting for ssh autosetup for deployment is None                                                                                                                                           | `None`      |
+| `service.ssh.clusterIP`                 | ClusterIP setting for ssh autosetup for deployment                                                                                                                                                   | `nil`       |
 | `service.ssh.loadBalancerIP`            | LoadBalancer IP setting                                                                                                                                                                              | `nil`       |
 | `service.ssh.nodePort`                  | NodePort for ssh service                                                                                                                                                                             | `nil`       |
 | `service.ssh.externalTrafficPolicy`     | If `service.ssh.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation                                                                                          | `nil`       |
@@ -905,19 +928,35 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus
 | `service.ssh.loadBalancerSourceRanges`  | Source range filter for ssh loadbalancer                                                                                                                                                             | `[]`        |
 | `service.ssh.annotations`               | SSH service annotations                                                                                                                                                                              | `{}`        |
 | `service.ssh.labels`                    | SSH service additional labels                                                                                                                                                                        | `{}`        |
+| `service.ssh.loadBalancerClass`         | Loadbalancer class                                                                                                                                                                                   | `nil`       |
 
 ### Ingress
 
-| Name                                 | Description                                                                 | Value             |
-| ------------------------------------ | --------------------------------------------------------------------------- | ----------------- |
-| `ingress.enabled`                    | Enable ingress                                                              | `false`           |
-| `ingress.className`                  | Ingress class name                                                          | `nil`             |
-| `ingress.annotations`                | Ingress annotations                                                         | `{}`              |
-| `ingress.hosts[0].host`              | Default Ingress host                                                        | `git.example.com` |
-| `ingress.hosts[0].paths[0].path`     | Default Ingress path                                                        | `/`               |
-| `ingress.hosts[0].paths[0].pathType` | Ingress path type                                                           | `Prefix`          |
-| `ingress.tls`                        | Ingress tls settings                                                        | `[]`              |
-| `ingress.apiVersion`                 | Specify APIVersion of ingress object. Mostly would only be used for argocd. |                   |
+| Name                                 | Description          | Value             |
+| ------------------------------------ | -------------------- | ----------------- |
+| `ingress.enabled`                    | Enable ingress       | `false`           |
+| `ingress.className`                  | Ingress class name   | `nil`             |
+| `ingress.annotations`                | Ingress annotations  | `{}`              |
+| `ingress.hosts[0].host`              | Default Ingress host | `git.example.com` |
+| `ingress.hosts[0].paths[0].path`     | Default Ingress path | `/`               |
+| `ingress.hosts[0].paths[0].pathType` | Ingress path type    | `Prefix`          |
+| `ingress.tls`                        | Ingress tls settings | `[]`              |
+
+### Route
+
+| Name                                      | Description                                                                                                                                                                                       | Value      |
+| ----------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
+| `route.enabled`                           | Enable route                                                                                                                                                                                      | `false`    |
+| `route.annotations`                       | Route annotations                                                                                                                                                                                 | `{}`       |
+| `route.host`                              | Host to use for the route (will be assigned automatically by OKD / OpenShift is not defined)                                                                                                      | `nil`      |
+| `route.wildcardPolicy`                    | Wildcard policy if any for the route, currently only 'Subdomain' or 'None' is allowed.                                                                                                            | `nil`      |
+| `route.tls.termination`                   | termination type (see [OKD documentation](https://docs.okd.io/latest/rest_api/network_apis/route-route-openshift-io-v1.html#spec-tls))                                                            | `edge`     |
+| `route.tls.insecureEdgeTerminationPolicy` | the desired behavior for insecure connections to a route (e.g. with http)                                                                                                                         | `Redirect` |
+| `route.tls.existingSecret`                | the name of a predefined secret of type kubernetes.io/tls with both key (tls.crt and tls.key) set accordingly (if defined attributes 'certificate', 'caCertificate' and 'privateKey' are ignored) | `nil`      |
+| `route.tls.certificate`                   | PEM encoded single certificate                                                                                                                                                                    | `nil`      |
+| `route.tls.privateKey`                    | PEM encoded private key                                                                                                                                                                           | `nil`      |
+| `route.tls.caCertificate`                 | PEM encoded CA certificate or chain that issued the certificate                                                                                                                                   | `nil`      |
+| `route.tls.destinationCACertificate`      | PEM encoded CA certificate used to verify the authenticity of final end point when 'termination' is set to 'passthrough' (ignored otherwise)                                                      | `nil`      |
 
 ### deployment
 
@@ -982,25 +1021,27 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus
 | ------------------------ | ----------------------------------------------------------------- | ------------------ |
 | `signing.enabled`        | Enable commit/action signing                                      | `false`            |
 | `signing.gpgHome`        | GPG home directory                                                | `/data/git/.gnupg` |
-| `signing.privateKey`     | Inline private gpg key for signed internal Git activity           | `""`               |
+| `signing.privateKey`     | Inline private GPG key for signed internal Git activity           | `""`               |
 | `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""`               |
 
 ### Gitea
 
-| Name                                   | Description                                                                 | Value                |
-| -------------------------------------- | --------------------------------------------------------------------------- | -------------------- |
-| `gitea.admin.username`                 | Username for the Forgejo admin user                                         | `gitea_admin`        |
-| `gitea.admin.existingSecret`           | Use an existing secret to store admin user credentials                      | `nil`                |
-| `gitea.admin.password`                 | Password for the Forgejo admin user                                         | `r8sA8CPHD9!bt6d`    |
-| `gitea.admin.email`                    | Email for the Forgejo admin user                                            | `gitea@local.domain` |
-| `gitea.metrics.enabled`                | Enable Forgejo metrics                                                      | `false`              |
-| `gitea.metrics.serviceMonitor.enabled` | Enable Forgejo metrics service monitor                                      | `false`              |
-| `gitea.ldap`                           | LDAP configuration                                                          | `[]`                 |
-| `gitea.oauth`                          | OAuth configuration                                                         | `[]`                 |
-| `gitea.additionalConfigSources`        | Additional configuration from secret or configmap                           | `[]`                 |
-| `gitea.additionalConfigFromEnvs`       | Additional configuration sources from environment variables                 | `[]`                 |
-| `gitea.podAnnotations`                 | Annotations for the Forgejo pod                                             | `{}`                 |
-| `gitea.ssh.logLevel`                   | Configure OpenSSH's log level. Only available for root-based Forgejo image. | `INFO`               |
+| Name                                     | Description                                                                                                                   | Value                |
+| ---------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | -------------------- |
+| `gitea.admin.username`                   | Username for the Forgejo admin user                                                                                           | `gitea_admin`        |
+| `gitea.admin.existingSecret`             | Use an existing secret to store admin user credentials                                                                        | `nil`                |
+| `gitea.admin.password`                   | Password for the Forgejo admin user                                                                                           | `r8sA8CPHD9!bt6d`    |
+| `gitea.admin.email`                      | Email for the Forgejo admin user                                                                                              | `gitea@local.domain` |
+| `gitea.admin.passwordMode`               | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated | `keepUpdated`        |
+| `gitea.metrics.enabled`                  | Enable Forgejo metrics                                                                                                        | `false`              |
+| `gitea.metrics.serviceMonitor.enabled`   | Enable Forgejo metrics service monitor                                                                                        | `false`              |
+| `gitea.metrics.serviceMonitor.namespace` | Namespace in which Prometheus is running                                                                                      | `""`                 |
+| `gitea.ldap`                             | LDAP configuration                                                                                                            | `[]`                 |
+| `gitea.oauth`                            | OAuth configuration                                                                                                           | `[]`                 |
+| `gitea.additionalConfigSources`          | Additional configuration from secret or configmap                                                                             | `[]`                 |
+| `gitea.additionalConfigFromEnvs`         | Additional configuration sources from environment variables                                                                   | `[]`                 |
+| `gitea.podAnnotations`                   | Annotations for the Forgejo pod                                                                                               | `{}`                 |
+| `gitea.ssh.logLevel`                     | Configure OpenSSH's log level. Only available for root-based Forgejo image.                                                   | `INFO`               |
 
 ### `app.ini` overrides
 
@@ -1072,15 +1113,16 @@ blocks, while the keys themselves remain in all caps.
 
 ### ReadinessProbe
 
-| Name                                       | Description                                       | Value  |
-| ------------------------------------------ | ------------------------------------------------- | ------ |
-| `gitea.readinessProbe.enabled`             | Enable readiness probe                            | `true` |
-| `gitea.readinessProbe.tcpSocket.port`      | Port to probe for readiness                       | `http` |
-| `gitea.readinessProbe.initialDelaySeconds` | Initial delay before readiness probe is initiated | `5`    |
-| `gitea.readinessProbe.timeoutSeconds`      | Timeout for readiness probe                       | `1`    |
-| `gitea.readinessProbe.periodSeconds`       | Period for readiness probe                        | `10`   |
-| `gitea.readinessProbe.successThreshold`    | Success threshold for readiness probe             | `1`    |
-| `gitea.readinessProbe.failureThreshold`    | Failure threshold for readiness probe             | `3`    |
+| Name                                       | Description                                       | Value          |
+| ------------------------------------------ | ------------------------------------------------- | -------------- |
+| `gitea.readinessProbe.enabled`             | Enable readiness probe                            | `true`         |
+| `gitea.readinessProbe.httpGet.path`        | Path to probe for readiness                       | `/api/healthz` |
+| `gitea.readinessProbe.httpGet.port`        | Port to probe for readiness                       | `http`         |
+| `gitea.readinessProbe.initialDelaySeconds` | Initial delay before readiness probe is initiated | `5`            |
+| `gitea.readinessProbe.timeoutSeconds`      | Timeout for readiness probe                       | `1`            |
+| `gitea.readinessProbe.periodSeconds`       | Period for readiness probe                        | `10`           |
+| `gitea.readinessProbe.successThreshold`    | Success threshold for readiness probe             | `1`            |
+| `gitea.readinessProbe.failureThreshold`    | Failure threshold for readiness probe             | `3`            |
 
 ### StartupProbe
 
@@ -1097,19 +1139,33 @@ blocks, while the keys themselves remain in all caps.
 ### Redis&reg; Cluster
 
 Redis&reg; Cluster is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/redis-cluster) if enabled in the values.
-Complete Configuration can be taken from their website.
+Full configuration options are available on their website.
+Redis cluster and [Redis](#redis) cannot be enabled at the same time.
 
 | Name                             | Description                                  | Value   |
 | -------------------------------- | -------------------------------------------- | ------- |
-| `redis-cluster.enabled`          | Enable redis                                 | `true`  |
+| `redis-cluster.enabled`          | Enable redis cluster                         | `true`  |
 | `redis-cluster.usePassword`      | Whether to use password authentication       | `false` |
 | `redis-cluster.cluster.nodes`    | Number of redis cluster master nodes         | `3`     |
 | `redis-cluster.cluster.replicas` | Number of redis cluster master node replicas | `0`     |
 
+### Redis&reg;
+
+Redis&reg; is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/redis) if enabled in the values.
+Full configuration options are available on their website.
+Redis and [Redis cluster](#redis-cluster) cannot be enabled at the same time.
+
+| Name                          | Description                                | Value        |
+| ----------------------------- | ------------------------------------------ | ------------ |
+| `redis.enabled`               | Enable redis standalone or replicated      | `false`      |
+| `redis.architecture`          | Whether to use standalone or replication   | `standalone` |
+| `redis.global.redis.password` | Required password                          | `changeme`   |
+| `redis.master.count`          | Number of Redis master instances to deploy | `1`          |
+
 ### PostgreSQL HA
 
 PostgreSQL HA is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/postgresql-ha) if enabled in the values.
-Complete Configuration can be taken from their website.
+Full configuration options are available on their website.
 
 | Name                                        | Description                                                      | Value       |
 | ------------------------------------------- | ---------------------------------------------------------------- | ----------- |
@@ -1127,7 +1183,7 @@ Complete Configuration can be taken from their website.
 ### PostgreSQL
 
 PostgreSQL is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) if enabled in the values.
-Complete Configuration can be taken from their website.
+Full configuration options are available on their website.
 
 | Name                                                    | Description                                                      | Value   |
 | ------------------------------------------------------- | ---------------------------------------------------------------- | ------- |
@@ -1142,11 +1198,11 @@ Complete Configuration can be taken from their website.
 
 | Name               | Description                                                        | Value     |
 | ------------------ | ------------------------------------------------------------------ | --------- |
-| `checkDeprecation` | Set it to false to skip this basic validation check.               | `true`    |
-| `test.enabled`     | Set it to false to disable test-connection Pod.                    | `true`    |
+| `checkDeprecation` | Whether to run this basic validation check.                        | `true`    |
+| `test.enabled`     | Whether to use test-connection Pod.                                | `true`    |
 | `test.image.name`  | Image name for the wget container used in the test-connection Pod. | `busybox` |
 | `test.image.tag`   | Image tag for the wget container used in the test-connection Pod.  | `latest`  |
-| `extraDeploy`      | Array of extra objects to deploy with the release                  | `[]`      |
+| `extraDeploy`      | Array of extra objects to deploy with the release.                 | `[]`      |
 
 ## Contributing
 
@@ -1162,11 +1218,38 @@ This section lists major and breaking changes of each Helm Chart version.
 Please read them carefully to upgrade successfully, especially the change of the **default database backend**!
 If you miss this, blindly upgrading may delete your Postgres instance and you may lose your data!
 
-### To v7.0.0
+### To v11
+
+PostgreSQL and PostgreSQL HA are now using PostgreSQL v17.
+Please read PostgresSQL upgrade guide before upgrading.
+
+You need Forgejo v10+ to use this Helm Chart version.
+Forgejo v9 is now EOL.
+
+ClusterIP is now emtpy instead of `None` for http and ssh service.
+Unsupported api versions for `Ingress` and `PodDisruptionBudget` are removed.
+`Ingress` and `Service` are now using named ports.
+The ReadinessProbe is now using the `/api/healthz` endpoint.
+
+### To v10
+
+You need Forgejo v9+ to use this Helm Chart version.
+Forgejo v8 is now EOL.
+
+### To v9
+
+Namespaces for all resources are now set to `common.names.namespace` by default.
+
+### To v8
+
+You need Forgejo v8+ to use this Helm Chart version.
+Use the v7 Helm Chart for Forgejo v7.
+
+### To v7
 
 The Forgejo docker image is pulled from `code.forgejo.org` instead of `codeberg.org`.
 
-### To v6.0.0
+### To v6
 
 You need Forgejo v7+ to use this Helm Chart version.
 Use the v5 Helm Chart for Forgejo v1.21.

ci/default-values.yaml

@@ -0,0 +1,20 @@
+# default values with some modifications
+
+# Use mirror
+# https://code.forgejo.org/forgejo-helm/forgejo-helm/issues/1045
+global:
+  security:
+    allowInsecureImages: true
+redis-cluster:
+  image:
+    registry: public.ecr.aws
+postgresql-ha:
+  postgresql:
+    image:
+      registry: public.ecr.aws
+  pgpool:
+    image:
+      registry: public.ecr.aws
+test:
+  image:
+    name: code.forgejo.org/oci/busybox

ci/default.yml

@@ -1 +0,0 @@
-# default values

ci/dev-values.yaml

@@ -1,11 +1,14 @@
 # Test codeberg.org image
 image:
   registry: codeberg.org
+# Use mirror
+# https://code.forgejo.org/forgejo-helm/forgejo-helm/issues/1045
+test:
+  image:
+    name: code.forgejo.org/oci/busybox
 
 redis-cluster:
   enabled: false
-postgresql:
-  enabled: false
 postgresql-ha:
   enabled: false
 

ci/single-values.yaml

@@ -1,10 +1,24 @@
 redis-cluster:
   enabled: false
-postgresql:
-  enabled: true
 postgresql-ha:
   enabled: false
 
+postgresql:
+  enabled: true
+  # Use mirror
+  # https://code.forgejo.org/forgejo-helm/forgejo-helm/issues/1045
+  image:
+    registry: public.ecr.aws
+global:
+  security:
+    allowInsecureImages: true
+
+# Use mirror
+# https://code.forgejo.org/forgejo-helm/forgejo-helm/issues/1045
+test:
+  image:
+    name: code.forgejo.org/oci/busybox
+
 persistence:
   enabled: true
 

ci/v10-values.yaml

@@ -1,12 +1,16 @@
 image:
   registry: codeberg.org
   repository: forgejo-experimental/forgejo
-  tag: 8.0-test@sha256:40e945bef50f975dfece6e4effbf03abe56c2f165d8f932b46e60d68dc6bd023
+  tag: 10 # don't pin, manifests can be missing
+
+# Use mirror
+# https://code.forgejo.org/forgejo-helm/forgejo-helm/issues/1045
+test:
+  image:
+    name: code.forgejo.org/oci/busybox
 
 redis-cluster:
   enabled: false
-postgresql:
-  enabled: false
 postgresql-ha:
   enabled: false
 

ci/v11-values.yaml

@@ -1,12 +1,16 @@
 image:
   registry: codeberg.org
   repository: forgejo-experimental/forgejo
-  tag: 9.0-test@sha256:03b187b47c9c4dab681a10527ea65448cde53b80bf56ca0e8455ee20319cba2f
+  tag: 11 # don't pin, manifests can be missing
+
+# Use mirror
+# https://code.forgejo.org/forgejo-helm/forgejo-helm/issues/1045
+test:
+  image:
+    name: code.forgejo.org/oci/busybox
 
 redis-cluster:
   enabled: false
-postgresql:
-  enabled: false
 postgresql-ha:
   enabled: false
 

ci/v12-values.yaml

@@ -1,12 +1,16 @@
 image:
   registry: codeberg.org
   repository: forgejo-experimental/forgejo
-  tag: 7.0-test@sha256:824921b3a518b5a160f891fd13efd2591ddfe65592aee68e829198b5a35564de
+  tag: 12 # don't pin, manifests can be missing
+
+# Use mirror
+# https://code.forgejo.org/forgejo-helm/forgejo-helm/issues/1045
+test:
+  image:
+    name: code.forgejo.org/oci/busybox
 
 redis-cluster:
   enabled: false
-postgresql:
-  enabled: false
 postgresql-ha:
   enabled: false
 

package.json

@@ -11,21 +11,21 @@
     "prettier-fix": "prettier --write --ignore-unknown --cache '**/*.*'",
     "readme:lint": "markdownlint *.md -f",
     "readme:parameters": "readme-generator -v values.yaml -r README.md",
-    "test": "helm unittest --strict -f 'unittests/**/*.yaml' -f 'unittests/dependency-major-image-check.yaml' ./"
+    "test": "helm unittest --strict -f 'unittests/**/*.yaml' ./"
   },
   "devDependencies": {
-    "@bitnami/readme-generator-for-helm": "2.6.1",
+    "@bitnami/readme-generator-for-helm": "2.7.0",
     "clipanion": "3.2.1",
     "conventional-changelog-conventionalcommits": "8.0.0",
-    "conventional-changelog-core": "8.0.0",
-    "husky": "9.1.4",
-    "lint-staged": "15.2.7",
-    "markdownlint-cli": "0.41.0",
-    "prettier": "3.3.3"
+    "conventional-changelog-core": "9.0.0",
+    "husky": "9.1.7",
+    "lint-staged": "15.5.0",
+    "markdownlint-cli": "0.44.0",
+    "prettier": "3.5.3"
   },
-  "packageManager": "pnpm@9.6.0",
+  "packageManager": "pnpm@10.7.0",
   "engines": {
-    "node": "^18.12.0 || >=20.9.0",
-    "pnpm": "^9.0.0"
+    "node": "^22.0.0",
+    "pnpm": "^10.0.0"
   }
 }

renovate.json

@@ -1,15 +1,23 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["forgejo-contrib/forgejo-renovate//base.json"],
+  "extends": [
+    "forgejo-contrib/forgejo-renovate//base.json",
+    "forgejo-helm/forgejo-helm//.forgejo/renovate/k3s.json"
+  ],
   "assignees": ["viceice"],
   "baseBranches": ["main", "/^maint\\/.+/"],
   "packageRules": [
     {
-      "description": "Disable major chart updates for maintenance branches",
+      "description": "Separate multiple major sub chart updates",
+      "matchFileNames": ["Chart.yaml"],
+      "separateMultipleMajor": true
+    },
+    {
+      "description": "Require approval for major sub chart updates for maintenance branches",
       "matchBaseBranches": ["/^maint\\/.+/"],
       "matchUpdateTypes": ["major"],
       "matchFileNames": ["Chart.yaml"],
-      "enabled": false
+      "dependencyDashboardApproval": true
     },
     {
       "matchManagers": ["helmv3"],
@@ -34,13 +42,13 @@
       "semanticCommitType": "feat"
     },
     {
-      "description": "Automerge and group helm subchart updates daily (minor & patch)",
+      "description": "Automerge and group helm subchart updates weekly (minor & patch)",
       "matchManagers": ["helmv3"],
       "matchFileNames": ["Chart.yaml"],
       "matchUpdateTypes": ["minor", "patch"],
       "automerge": true,
       "groupName": "subcharts",
-      "extends": ["schedule:daily"]
+      "extends": ["schedule:weekly"]
     },
     {
       "description": "Automerge dev deps updates",
@@ -66,21 +74,9 @@
       "matchUpdateTypes": ["digest"],
       "automerge": true
     },
-    {
-      "description": "Separate minor and patch updates for kindest",
-      "matchPackageNames": ["kindest/node"],
-      "separateMinorPatch": true
-    },
-    {
-      "description": "Require approval and no automerge for kindest major and minor updates",
-      "matchPackageNames": ["kindest/node"],
-      "matchUpdateTypes": ["major", "minor"],
-      "dependencyDashboardApproval": true,
-      "automerge": false
-    },
     {
       "description": "Use test scope for forgejo ci tests",
-      "matchFileNames": ["ci/*.yml"],
+      "matchFileNames": ["ci/*.yaml"],
       "additionalBranchPrefix": "ci-forgejo-",
       "semanticCommitType": "ci",
       "semanticCommitScope": "forgejo",
@@ -89,10 +85,15 @@
     },
     {
       "description": "Disable updates for forgejo ci tests",
-      "matchFileNames": ["ci/*.yml"],
+      "matchFileNames": ["ci/*.yaml"],
       "matchUpdateTypes": ["major", "minor", "patch"],
       "enabled": false
     },
+    {
+      "description": "Don't pin digests for forgejo ci tests, not supported",
+      "matchFileNames": ["ci/*.yaml"],
+      "pinDigests": false
+    },
     {
       "description": "branch automerge not possible",
       "automergeType": "pr",
@@ -122,16 +123,15 @@
     },
     {
       "customType": "regex",
-      "description": "Update kindest kubernetes references",
+      "description": "Update k3s kubernetes references",
       "fileMatch": ["^\\.forgejo/workflows/[^/]+\\.ya?ml$"],
-      "matchStrings": [
-        " +- (?<currentValue>v\\d+\\.\\d+\\.\\d+) # renovate: kindest\\n"
-      ],
-      "depNameTemplate": "kindest/node",
-      "datasourceTemplate": "docker"
+      "matchStrings": [" +- (?<currentValue>.+?) # renovate: k3s\\n"],
+      "depNameTemplate": "k3s",
+      "packageNameTemplate": "k3s-io/k3s",
+      "datasourceTemplate": "github-releases"
     }
   ],
   "helm-values": {
-    "fileMatch": ["^ci/.+\\.yml$"]
+    "fileMatch": ["^ci/.+\\.yaml$"]
   }
 }

templates/_helpers.tpl

@@ -32,6 +32,14 @@ Create chart name and version as used by the chart label.
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{/*
+Get version from .Values.image.tag or Chart.AppVersion.
+Trim optional docker digest.
+*/}}
+{{- define "gitea.version" -}}
+{{- regexReplaceAll "@.+" (.Values.image.tag | default .Chart.AppVersion | toString) "" -}}
+{{- end -}}
+
 {{/*
 Create image name and tag used by the deployment.
 */}}
@@ -74,7 +82,7 @@ imagePullSecrets:
 Storage Class
 */}}
 {{- define "gitea.persistence.storageClass" -}}
-{{- $storageClass := .Values.persistence.storageClass | default .Values.global.storageClass }}
+{{- $storageClass :=  (tpl ( default "" .Values.persistence.storageClass) .) | default (tpl ( default "" .Values.global.storageClass) .) }}
 {{- if $storageClass }}
 storageClassName: {{ $storageClass | quote }}
 {{- end }}
@@ -87,8 +95,8 @@ Common labels
 helm.sh/chart: {{ include "gitea.chart" . }}
 app: {{ include "gitea.name" . }}
 {{ include "gitea.selectorLabels" . }}
-app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
-version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
+app.kubernetes.io/version: {{ include "gitea.version" . | quote }}
+version: {{ include "gitea.version" . | quote }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end -}}
 
@@ -113,20 +121,28 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
 {{- define "redis.dns" -}}
-{{- if (index .Values "redis-cluster").enabled -}}
+{{- if and ((index .Values "redis-cluster").enabled) ((index .Values "redis").enabled) -}}
+{{- fail "redis and redis-cluster cannot be enabled at the same time. Please only choose one." -}}
+{{- else if (index .Values "redis-cluster").enabled -}}
 {{- printf "redis+cluster://:%s@%s-redis-cluster-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "redis-cluster").global.redis.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "redis-cluster").service.ports.redis -}}
+{{- else if (index .Values "redis").enabled -}}
+{{- printf "redis://:%s@%s-redis-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "redis").global.redis.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "redis").master.service.ports.redis -}}
 {{- end -}}
 {{- end -}}
 
 {{- define "redis.port" -}}
 {{- if (index .Values "redis-cluster").enabled -}}
 {{ (index .Values "redis-cluster").service.ports.redis }}
+{{- else if (index .Values "redis").enabled -}}
+{{ (index .Values "redis").master.service.ports.redis }}
 {{- end -}}
 {{- end -}}
 
 {{- define "redis.servicename" -}}
 {{- if (index .Values "redis-cluster").enabled -}}
 {{- printf "%s-redis-cluster-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
+{{- else if (index .Values "redis").enabled -}}
+{{- printf "%s-redis-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
 {{- end -}}
 {{- end -}}
 
@@ -208,7 +224,7 @@ https
         {{- $_ := set $inlines $key (join "\n" $section) -}}
       {{- end -}}
     {{- else }}
-      {{- if or (eq $key "APP_NAME") (eq $key "RUN_USER") (eq $key "RUN_MODE") -}}
+      {{- if or (eq $key "APP_NAME") (eq $key "RUN_USER") (eq $key "RUN_MODE") (eq $key "APP_SLOGAN") (eq $key "APP_DISPLAY_NAME_FORMAT") -}}
         {{- $generals = append $generals (printf "%s=%s" $key $value) -}}
       {{- else -}}
         {{- (printf "Key %s cannot be on top level of configuration" $key) | fail -}}
@@ -271,7 +287,7 @@ https
     {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}}
   {{- end -}}
   {{- /* redis queue */ -}}
-  {{- if (index .Values "redis-cluster").enabled -}}
+  {{- if or ((index .Values "redis-cluster").enabled) ((index .Values "redis").enabled) -}}
     {{- $_ := set .Values.gitea.config.queue "TYPE" "redis" -}}
     {{- $_ := set .Values.gitea.config.queue "CONN_STR" (include "redis.dns" .) -}}
     {{- $_ := set .Values.gitea.config.session "PROVIDER" "redis" -}}
@@ -392,3 +408,11 @@ https
 {{- define "gitea.serviceAccountName" -}}
 {{ .Values.serviceAccount.name | default (include "gitea.fullname" .) }}
 {{- end -}}
+
+{{- define "gitea.admin.passwordMode" -}}
+{{- if has .Values.gitea.admin.passwordMode (tuple "keepUpdated" "initialOnlyNoReset" "initialOnlyRequireReset") -}}
+{{ .Values.gitea.admin.passwordMode }}
+{{- else -}}
+{{ printf "gitea.admin.passwordMode must be set to one of 'keepUpdated', 'initialOnlyNoReset', or 'initialOnlyRequireReset'. Received: '%s'" .Values.gitea.admin.passwordMode | fail }}
+{{- end -}}
+{{- end -}}

templates/gitea/config.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "gitea.fullname" . }}-inline-config
+  namespace: {{ include "common.names.namespace" . | quote }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
@@ -88,15 +89,18 @@ stringData:
 
       env2ini::log "    + '${setting}'"
 
+      local masked_setting="${setting//./_0X2E_}"                           # '//' instructs to replace all matches
+      masked_setting="${masked_setting//-/_0X2D_}"
+
       if [[ -z "${section}" ]]; then
-        export "FORGEJO____${setting^^}=${value}"                           # '^^' makes the variable content uppercase
+        export "FORGEJO____${masked_setting^^}=${value}"                           # '^^' makes the variable content uppercase
         return
       fi
 
       local masked_section="${section//./_0X2E_}"                           # '//' instructs to replace all matches
       masked_section="${masked_section//-/_0X2D_}"
 
-      export "FORGEJO__${masked_section^^}__${setting^^}=${value}"          # '^^' makes the variable content uppercase
+      export "FORGEJO__${masked_section^^}__${masked_setting^^}=${value}"          # '^^' makes the variable content uppercase
     }
 
     function env2ini::reload_preset_envs() {

templates/gitea/deployment.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "gitea.fullname" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   annotations:
     {{- if .Values.deployment.annotations }}
     {{- toYaml .Values.deployment.annotations | nindent 4 }}
@@ -56,7 +57,7 @@ spec:
       {{- end }}
       {{- include "gitea.images.pullSecrets" . | nindent 6 }}
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }}
       initContainers:
         - name: init-directories
           image: "{{ include "gitea.image" . }}"
@@ -90,7 +91,7 @@ spec:
               {{- end }}
             {{- include "gitea.init-additional-mounts" . | nindent 12 }}
           securityContext:
-            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
           resources:
             {{- toYaml .Values.initContainers.resources | nindent 12 }}
         - name: init-app-ini
@@ -130,7 +131,7 @@ spec:
             {{- end }}
             {{- include "gitea.init-additional-mounts" . | nindent 12 }}
           securityContext:
-            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
           resources:
             {{- toYaml .Values.initContainers.resources | nindent 12 }}
         {{- if .Values.signing.enabled }}
@@ -144,7 +145,7 @@ spec:
             {{- if not (hasKey $csc "runAsUser") -}}
             {{- $_ := set $csc "runAsUser" 1000 -}}
             {{- end -}}
-            {{- toYaml $csc | nindent 12 }}
+            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $csc "context" $) | nindent 12 }}
           env:
             - name: GNUPGHOME
               value: {{ .Values.signing.gpgHome }}
@@ -175,7 +176,7 @@ spec:
             {{- if not (hasKey $csc "runAsUser") -}}
             {{- $_ := set $csc "runAsUser" 1000 -}}
             {{- end -}}
-            {{- toYaml $csc | nindent 12 }}
+            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $csc "context" $) | nindent 12 }}
           env:
             - name: GITEA_APP_INI
               value: /data/gitea/conf/app.ini
@@ -243,6 +244,8 @@ spec:
             - name: GITEA_ADMIN_PASSWORD
               value: {{ .Values.gitea.admin.password | quote }}
             {{- end }}
+            - name: GITEA_ADMIN_PASSWORD_MODE
+              value: {{ include "gitea.admin.passwordMode" $ }}
             {{- if .Values.deployment.env }}
             {{- toYaml .Values.deployment.env | nindent 12 }}
             {{- end }}
@@ -324,9 +327,9 @@ spec:
           securityContext:
             {{- /* Honor the deprecated securityContext variable when defined */ -}}
             {{- if .Values.containerSecurityContext -}}
-            {{ toYaml .Values.containerSecurityContext | nindent 12 -}}
+            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
             {{- else -}}
-            {{ toYaml .Values.securityContext | nindent 12 -}}
+            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.securityContext "context" $) | nindent 12 }}
             {{- end }}
           volumeMounts:
             - name: temp

templates/gitea/gpg-secret.yaml

@@ -7,6 +7,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "gitea.gpg-key-secret-name" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque

templates/gitea/http-svc.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "gitea.fullname" . }}-http
+  namespace: {{ include "common.names.namespace" . | quote }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
     {{- if .Values.service.http.labels }}
@@ -11,7 +12,11 @@ metadata:
     {{- toYaml .Values.service.http.annotations | nindent 4 }}
 spec:
   type: {{ .Values.service.http.type }}
-  {{- if and .Values.service.http.loadBalancerIP (eq .Values.service.http.type "LoadBalancer") }}
+  {{- if eq .Values.service.http.type "LoadBalancer" }}
+  {{- if .Values.service.http.loadBalancerClass }}
+  loadBalancerClass: {{ .Values.service.http.loadBalancerClass }}
+  {{- end }}
+  {{- if and .Values.service.http.loadBalancerIP }}
   loadBalancerIP: {{ .Values.service.http.loadBalancerIP  }}
   {{- end }}
   {{- if .Values.service.http.loadBalancerSourceRanges }}
@@ -20,6 +25,7 @@ spec:
     - {{ . }}
   {{- end }}
   {{- end }}
+  {{- end }}
   {{- if .Values.service.http.externalIPs }}
   externalIPs:
     {{- toYaml .Values.service.http.externalIPs | nindent 4 }}
@@ -43,6 +49,6 @@ spec:
     {{- if  .Values.service.http.nodePort }}
     nodePort: {{ .Values.service.http.nodePort }}
     {{- end }}
-    targetPort: {{ .Values.gitea.config.server.HTTP_PORT }}
+    targetPort: http
   selector:
     {{- include "gitea.selectorLabels" . | nindent 4 }}

templates/gitea/ingress.yaml

@@ -1,18 +1,10 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "gitea.fullname" . -}}
-{{- $httpPort := .Values.service.http.port -}}
-{{- $apiVersion := "extensions/v1beta1" -}}
-{{- if .Values.ingress.apiVersion -}}
-{{- $apiVersion = .Values.ingress.apiVersion -}}
-{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}}
-{{- $apiVersion = "networking.k8s.io/v1" }}
-{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" -}}
-{{- $apiVersion = "networking.k8s.io/v1beta1" }}
-{{- end }}
-apiVersion: {{ $apiVersion }}
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: {{ $fullName }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
   annotations:
@@ -21,7 +13,7 @@ metadata:
     {{- end }}
 spec:
 {{- if .Values.ingress.className }}
-  ingressClassName: {{ .Values.ingress.className }}
+  ingressClassName: {{ tpl .Values.ingress.className . }}
 {{- end }}
 {{- if .Values.ingress.tls }}
   tls:
@@ -40,19 +32,14 @@ spec:
         paths:
           {{- range .paths }}
           - path: {{ .path }}
-            {{- if and .pathType (eq $apiVersion "networking.k8s.io/v1") }}
+            {{- if .pathType }}
             pathType: {{ .pathType }}
             {{- end }}
             backend:
-            {{- if eq $apiVersion "networking.k8s.io/v1" }}
               service:
                 name: {{ $fullName }}-http
                 port:
-                  number: {{ $httpPort }}
-            {{- else }}
-              serviceName: {{ $fullName }}-http
-              servicePort: {{ $httpPort }}
-            {{- end }}
+                  name: http
           {{- end }}
     {{- end }}
 {{- end }}

templates/gitea/init.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "gitea.fullname" . }}-init
+  namespace: {{ include "common.names.namespace" . | quote }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
@@ -109,13 +110,26 @@ stringData:
 
       local ACCOUNT_ID=$(echo "${actual_user_table}" | grep -E "\s+${GITEA_ADMIN_USERNAME}\s+" | awk -F " " "{printf \$1}")
       if [[ -z "${ACCOUNT_ID}" ]]; then
+        local -a create_args
+        create_args=(--admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }})
+        if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = initialOnlyRequireReset ]]; then
+          create_args+=(--must-change-password=true)
+        else
+          create_args+=(--must-change-password=false)
+        fi
         echo "No admin user '${GITEA_ADMIN_USERNAME}' found. Creating now..."
-        gitea admin user create --admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }} --must-change-password=false
+        gitea admin user create "${create_args[@]}"
         echo '...created.'
       else
-        echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..."
-        gitea admin user change-password --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --must-change-password=false
-        echo '...password sync done.'
+        if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = keepUpdated ]]; then
+          echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..."
+          local -a change_args
+          change_args=(--username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --must-change-password=false)
+          gitea admin user change-password "${change_args[@]}"
+          echo '...password sync done.'
+        else
+          echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist, but update mode is set to '${GITEA_ADMIN_PASSWORD_MODE}'. Skipping."
+        fi
       fi
     }
 

templates/gitea/poddisruptionbudget.yaml

@@ -1,12 +1,9 @@
 {{- if .Values.podDisruptionBudget -}}
-{{- if .Capabilities.APIVersions.Has "policy/v1" }}
 apiVersion: policy/v1
-{{- else }}
-apiVersion: policy/v1beta1
-{{- end }}
 kind: PodDisruptionBudget
 metadata:
   name: {{ include "gitea.fullname" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
 spec:

templates/gitea/pvc.yaml

@@ -3,7 +3,7 @@ kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
   name: {{ .Values.persistence.claimName }}
-  namespace: {{ $.Release.Namespace }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   annotations:
 {{ .Values.persistence.annotations | toYaml | indent 4}}
 {{- if .Values.persistence.labels }}

templates/gitea/route.yaml

@@ -0,0 +1,43 @@
+{{- if .Values.route.enabled -}}
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  name: {{ include "gitea.fullname" . }}-http
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+  annotations:
+    {{- toYaml .Values.route.annotations | nindent 4 }}
+spec:
+  {{- if .Values.route.host }}
+  host: {{ tpl .Values.route.host $ | quote }}
+  {{- end }}
+  {{- if .Values.route.wildcardPolicy }}
+  wildcardPolicy: {{ .Values.route.wildcardPolicy }}
+  {{- end }}
+  to:
+    kind: Service
+    name: {{ include "gitea.fullname" . }}-http
+    weight: 100
+  port:
+    targetPort: http
+  tls:
+    termination: edge
+    insecureEdgeTerminationPolicy: Redirect
+    {{- if .Values.route.tls.existingSecret }}
+    externalCertificate: {{ .Values.route.tls.existingSecret }}
+    {{- else if and .Values.route.tls.certificate
+                    .Values.route.tls.privateKey
+                    .Values.route.tls.caCertificate }}
+    certificate: |
+{{ .Values.route.tls.certificate | indent 6 }}
+    key: |
+{{ .Values.route.tls.privateKey | indent 6 }}
+    caCertificate: |
+{{ .Values.route.tls.caCertificate | indent 6 }}
+    {{- else if or .Values.route.tls.certificate
+                    .Values.route.tls.privateKey
+                    .Values.route.tls.caCertificate }}
+    {{- fail "certificate, privateKey and caCertificate must be specified together" }}
+    {{- end }}
+{{- end }}

templates/gitea/serviceaccount.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "gitea.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
     {{- with .Values.serviceAccount.labels }}

templates/gitea/servicemonitor.yaml

@@ -3,6 +3,7 @@ apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
   name: {{ include "gitea.fullname" . }}
+  namespace: {{ default (include "common.names.namespace" .) .Values.gitea.metrics.serviceMonitor.namespace | quote }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
     {{- if .Values.gitea.metrics.serviceMonitor.additionalLabels }}

templates/gitea/ssh-svc.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "gitea.fullname" . }}-ssh
+  namespace: {{ include "common.names.namespace" . | quote }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
     {{- if .Values.service.ssh.labels }}
@@ -12,6 +13,9 @@ metadata:
 spec:
   type: {{ .Values.service.ssh.type }}
   {{- if eq .Values.service.ssh.type "LoadBalancer" }}
+  {{- if .Values.service.ssh.loadBalancerClass }}
+  loadBalancerClass: {{ .Values.service.ssh.loadBalancerClass }}
+  {{- end }}
   {{- if .Values.service.ssh.loadBalancerIP }}
   loadBalancerIP: {{ .Values.service.ssh.loadBalancerIP }}
   {{- end -}}
@@ -43,7 +47,7 @@ spec:
   - name: ssh
     port: {{ .Values.service.ssh.port }}
     {{- if .Values.gitea.config.server.SSH_LISTEN_PORT }}
-    targetPort: {{ .Values.gitea.config.server.SSH_LISTEN_PORT }}
+    targetPort: ssh
     {{- end }}
     protocol: TCP
     {{- if .Values.service.ssh.nodePort }}

templates/tests/test-http-connection.yaml

@@ -6,7 +6,7 @@ metadata:
   labels:
 {{ include "gitea.labels" . | nindent 4 }}
   annotations:
-    "helm.sh/hook": test-success
+    "helm.sh/hook": test
 spec:
   containers:
     - name: wget

tools/changelog.mjs

@@ -1,67 +1,12 @@
-import conventionalChangelogCore from 'conventional-changelog-core';
-import conventionalChangelogPreset from 'conventional-changelog-conventionalcommits';
-import fs from 'node:fs';
+import { getChangelog } from './changelog/util.js';
 
-const config = conventionalChangelogPreset({
-  types: [
-    {
-      type: 'feat',
-      section: 'Features',
-    },
-    {
-      type: 'fix',
-      section: 'Bug Fixes',
-    },
-    {
-      type: 'perf',
-      section: 'Performance Improvements',
-    },
-    {
-      type: 'revert',
-      section: 'Reverts',
-    },
-    {
-      type: 'docs',
-      section: 'Documentation',
-    },
-    {
-      type: 'style',
-      section: 'Styles',
-    },
-    {
-      type: 'refactor',
-      section: 'Code Refactoring',
-    },
-    {
-      type: 'test',
-      section: 'Tests',
-    },
-    {
-      type: 'build',
-      section: 'Build System',
-    },
-    {
-      type: 'ci',
-      section: 'Continuous Integration',
-    },
-    {
-      type: 'chore',
-      section: 'Miscellaneous Chores',
-    },
-  ],
-});
+const stream = getChangelog(!!process.argv[2]).setEncoding('utf8');
 
-const file = process.argv[3]
-  ? fs.createWriteStream(process.argv[3])
-  : process.stdout;
+const changes = (await stream.toArray()).join('');
 
-conventionalChangelogCore(
-  {
-    config,
-    releaseCount: 2,
-  },
-  { version: process.argv[2], linkCompare: false },
-  undefined,
-  undefined,
-  { headerPartial: '' },
-).pipe(file);
+if (!changes.length) {
+  console.error('No changelog found');
+  process.exit(1);
+}
+
+process.stdout.write(changes);

tools/changelog/util.js

@@ -56,17 +56,16 @@ export const config = conventionalChangelogPreset({
 
 /**
  *
- * @param {string} version
- * @param {boolean} onTag
+ * @param {boolean|undefined} onTag
  * @returns
  */
-export function getChangelog(version, onTag) {
+export function getChangelog(onTag = false) {
   return conventionalChangelogCore(
     {
       config,
       releaseCount: onTag ? 2 : 1,
     },
-    { version, linkCompare: false },
+    undefined,
     undefined,
     undefined,
     { headerPartial: '' },

tools/ct.yml

@@ -1,3 +1,4 @@
+# https://github.com/helm/chart-testing/blob/main/doc/ct_install.md
 helm-extra-args: --timeout 3m
 check-version-increment: false
 debug: true

tools/forgejo-release.js

@@ -68,7 +68,7 @@ class GiteaReleaseCommand extends Command {
       return 1;
     }
 
-    const stream = getChangelog(tag, true).setEncoding('utf8');
+    const stream = getChangelog(true).setEncoding('utf8');
     const changes = (await stream.toArray()).join('');
 
     this.context.stdout.write(`Creating release ${tag}.\n`);

unittests/config/cache-config.yaml

@@ -8,6 +8,8 @@ tests:
     set:
       redis-cluster:
         enabled: true
+      redis:
+        enabled: false
     asserts:
       - documentIndex: 0
         equal:
@@ -16,11 +18,28 @@ tests:
             ADAPTER=redis
             HOST=redis+cluster://:@gitea-unittests-redis-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
 
-  - it: "cache is configured correctly for 'memory' when redis-cluster is disabled"
+  - it: 'cache is configured correctly for redis'
     template: templates/gitea/config.yaml
     set:
       redis-cluster:
         enabled: false
+      redis:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.cache
+          value: |-
+            ADAPTER=redis
+            HOST=redis://:changeme@gitea-unittests-redis-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
+
+  - it: "cache is configured correctly for 'memory' when redis (or redis-cluster) is disabled"
+    template: templates/gitea/config.yaml
+    set:
+      redis-cluster:
+        enabled: false
+      redis:
+        enabled: false
     asserts:
       - documentIndex: 0
         equal:
@@ -29,11 +48,13 @@ tests:
             ADAPTER=memory
             HOST=
 
-  - it: 'cache can be customized when redis-cluster is disabled'
+  - it: 'cache can be customized when redis (or redis-cluster) is disabled'
     template: templates/gitea/config.yaml
     set:
       redis-cluster:
         enabled: false
+      redis:
+        enabled: false
       gitea.config.cache.ADAPTER: custom-adapter
       gitea.config.cache.HOST: custom-host
     asserts:

unittests/config/queue-config.yaml

@@ -8,6 +8,8 @@ tests:
     set:
       redis-cluster:
         enabled: true
+      redis:
+        enabled: false
     asserts:
       - documentIndex: 0
         equal:
@@ -16,11 +18,28 @@ tests:
             CONN_STR=redis+cluster://:@gitea-unittests-redis-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
             TYPE=redis
 
-  - it: "queue is configured correctly for 'levelDB' when redis-cluster is disabled"
+  - it: 'queue is configured correctly for redis'
     template: templates/gitea/config.yaml
     set:
       redis-cluster:
         enabled: false
+      redis:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.queue
+          value: |-
+            CONN_STR=redis://:changeme@gitea-unittests-redis-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
+            TYPE=redis
+
+  - it: "queue is configured correctly for 'levelDB' when redis (and redis-cluster) is disabled"
+    template: templates/gitea/config.yaml
+    set:
+      redis-cluster:
+        enabled: false
+      redis:
+        enabled: false
     asserts:
       - documentIndex: 0
         equal:
@@ -29,11 +48,13 @@ tests:
             CONN_STR=
             TYPE=level
 
-  - it: 'queue can be customized when redis-cluster is disabled'
+  - it: 'queue can be customized when redis (and redis-cluster) are disabled'
     template: templates/gitea/config.yaml
     set:
       redis-cluster:
         enabled: false
+      redis:
+        enabled: false
       gitea.config.queue.TYPE: custom-type
       gitea.config.queue.CONN_STR: custom-connection-string
     asserts:

unittests/config/session-config.yaml

@@ -8,6 +8,8 @@ tests:
     set:
       redis-cluster:
         enabled: true
+      redis:
+        enabled: false
     asserts:
       - documentIndex: 0
         equal:
@@ -16,11 +18,28 @@ tests:
             PROVIDER=redis
             PROVIDER_CONFIG=redis+cluster://:@gitea-unittests-redis-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
 
-  - it: "session is configured correctly for 'memory' when redis-cluster is disabled"
+  - it: 'session is configured correctly for redis'
     template: templates/gitea/config.yaml
     set:
       redis-cluster:
         enabled: false
+      redis:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.session
+          value: |-
+            PROVIDER=redis
+            PROVIDER_CONFIG=redis://:changeme@gitea-unittests-redis-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
+
+  - it: "session is configured correctly for 'memory' when redis (and redis-cluster) is disabled"
+    template: templates/gitea/config.yaml
+    set:
+      redis-cluster:
+        enabled: false
+      redis:
+        enabled: false
     asserts:
       - documentIndex: 0
         equal:
@@ -29,11 +48,13 @@ tests:
             PROVIDER=memory
             PROVIDER_CONFIG=
 
-  - it: 'session can be customized when redis-cluster is disabled'
+  - it: 'session can be customized when redis (and redis-cluster) is disabled'
     template: templates/gitea/config.yaml
     set:
       redis-cluster:
         enabled: false
+      redis:
+        enabled: false
       gitea.config.session.PROVIDER: custom-provider
       gitea.config.session.PROVIDER_CONFIG: custom-provider-config
     asserts:

unittests/dependency-major-image-check.yaml

@@ -15,7 +15,7 @@ tests:
         matchRegex:
           path: spec.template.spec.containers[0].image
           # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
-          pattern: ^docker.io/bitnami/postgresql-repmgr:16.+$
+          pattern: ^docker.io/bitnami/postgresql-repmgr:17.+$
   - it: '[postgresql] ensures we detect major image version upgrades'
     template: charts/postgresql/templates/primary/statefulset.yaml
     set:
@@ -28,15 +28,30 @@ tests:
         matchRegex:
           path: spec.template.spec.containers[0].image
           # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
-          pattern: ^docker.io/bitnami/postgresql:16.+$
+          pattern: ^docker.io/bitnami/postgresql:17.+$
   - it: '[redis-cluster] ensures we detect major image version upgrades'
     template: charts/redis-cluster/templates/redis-statefulset.yaml
     set:
       redis-cluster:
         enabled: true
+      redis:
+        enabled: false
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: spec.template.spec.containers[0].image
+          # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
+          pattern: bitnami/redis-cluster:7.+$
+  - it: '[redis] ensures we detect major image version upgrades'
+    template: charts/redis/templates/master/application.yaml
+    set:
+      redis-cluster:
+        enabled: false
+      redis:
+        enabled: true
     asserts:
       - documentIndex: 0
         matchRegex:
           path: spec.template.spec.containers[0].image
           # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
-          pattern: ^docker.io/bitnami/redis-cluster:7.+$
+          pattern: bitnami/redis:7.+$

unittests/deployment/ingress-configuration.yaml

@@ -15,9 +15,33 @@ tests:
           hosts:
             - '{{ .Values.global.giteaHostName }}'
     asserts:
+      - isKind:
+          of: Ingress
       - equal:
           path: spec.tls[0].hosts[0]
           value: 'gitea.example.com'
       - equal:
           path: spec.rules[0].host
           value: 'gitea.example.com'
+  - it: Ingress Class using TPL
+    set:
+      global.ingress.className: 'ingress-class'
+      ingress.className: '{{ .Values.global.ingress.className }}'
+      ingress.enabled: true
+      ingress.hosts[0].host: 'some-host'
+      ingress.tls:
+        - secretName: gitea-tls
+          hosts:
+            - 'some-host'
+    asserts:
+      - isKind:
+          of: Ingress
+      - equal:
+          path: spec.tls[0].hosts[0]
+          value: 'some-host'
+      - equal:
+          path: spec.rules[0].host
+          value: 'some-host'
+      - equal:
+          path: spec.ingressClassName
+          value: 'ingress-class'

unittests/deployment/route-configuration.yaml

@@ -0,0 +1,155 @@
+# $schema: https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
+suite: route template
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/route.yaml
+tests:
+  - it: hostname using TPL
+    set:
+      global.giteaHostName: 'gitea.example.com'
+      route.enabled: true
+      route.host: '{{ .Values.global.giteaHostName }}'
+    asserts:
+      - isKind:
+          of: Route
+      - equal:
+          path: spec.host
+          value: 'gitea.example.com'
+      - notExists:
+          path: spec.wildcardPolicy
+  - it: wildcard policy
+    set:
+      global.giteaHostName: 'gitea.example.com'
+      route.enabled: true
+      route.wildcardPolicy: 'Subdomain'
+    asserts:
+      - isKind:
+          of: Route
+      - equal:
+          path: spec.wildcardPolicy
+          value: 'Subdomain'
+  - it: existing certificate
+    set:
+      route.enabled: true
+      route.tls.existingSecret: certificate-secret
+      route.tls.certificate: |
+        -----BEGIN CERTIFICATE-----
+        ...
+        -----END CERTIFICATE-----
+      route.tls.privateKey: |
+        -----BEGIN PRIVATE KEY-----
+        ...
+        -----END PRIVATE KEY-----
+      route.tls.caCertificate: |
+        -----BEGIN CERTIFICATE-----
+        ...
+        -----END CERTIFICATE-----
+        -----BEGIN CERTIFICATE-----
+        ...
+        -----END CERTIFICATE-----
+    asserts:
+      - isKind:
+          of: Route
+      - equal:
+          path: spec.tls.externalCertificate
+          value: certificate-secret
+      - notExists:
+          path: spec.tls.certificate
+      - notExists:
+          path: spec.tls.key
+      - notExists:
+          path: spec.tls.caCertificate
+  - it: valid certificate values
+    set:
+      route.enabled: true
+      route.tls.certificate: |
+        -----BEGIN CERTIFICATE-----
+        ...
+        -----END CERTIFICATE-----
+      route.tls.privateKey: |
+        -----BEGIN PRIVATE KEY-----
+        ...
+        -----END PRIVATE KEY-----
+      route.tls.caCertificate: |
+        -----BEGIN CERTIFICATE-----
+        ...
+        -----END CERTIFICATE-----
+        -----BEGIN CERTIFICATE-----
+        ...
+        -----END CERTIFICATE-----
+    asserts:
+      - isKind:
+          of: Route
+      - notExists:
+          path: spec.tls.externalCertificate
+      - equal:
+          path: spec.tls.certificate
+          value: |
+            -----BEGIN CERTIFICATE-----
+            ...
+            -----END CERTIFICATE-----
+      - equal:
+          path: spec.tls.key
+          value: |
+            -----BEGIN PRIVATE KEY-----
+            ...
+            -----END PRIVATE KEY-----
+      - equal:
+          path: spec.tls.caCertificate
+          value: |
+            -----BEGIN CERTIFICATE-----
+            ...
+            -----END CERTIFICATE-----
+            -----BEGIN CERTIFICATE-----
+            ...
+            -----END CERTIFICATE-----
+  - it: missing certificate values
+    set:
+      route.enabled: true
+      route.tls.privateKey: |
+        -----BEGIN PRIVATE KEY-----
+        ...
+        -----END PRIVATE KEY-----
+      route.tls.caCertificate: |
+        -----BEGIN CERTIFICATE-----
+        ...
+        -----END CERTIFICATE-----
+        -----BEGIN CERTIFICATE-----
+        ...
+        -----END CERTIFICATE-----
+    asserts:
+      - failedTemplate:
+          errorMessage: certificate, privateKey and caCertificate must be specified together
+  - it: missing privateKey values
+    set:
+      route.enabled: true
+      route.tls.certificate: |
+        -----BEGIN CERTIFICATE-----
+        ...
+        -----END CERTIFICATE-----
+      route.tls.caCertificate: |
+        -----BEGIN CERTIFICATE-----
+        ...
+        -----END CERTIFICATE-----
+        -----BEGIN CERTIFICATE-----
+        ...
+        -----END CERTIFICATE-----
+    asserts:
+      - failedTemplate:
+          errorMessage: certificate, privateKey and caCertificate must be specified together
+  - it: missing caCertificate values
+    set:
+      route.enabled: true
+      route.tls.certificate: |
+        -----BEGIN CERTIFICATE-----
+        ...
+        -----END CERTIFICATE-----
+      route.tls.privateKey: |
+        -----BEGIN PRIVATE KEY-----
+        ...
+        -----END PRIVATE KEY-----
+    asserts:
+      - failedTemplate:
+          errorMessage: certificate, privateKey and caCertificate must be specified together

unittests/deployment/security-context-normal.yaml

@@ -0,0 +1,25 @@
+# $schema: https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
+suite: deployment template (security context)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: FS group set to 1000
+    template: templates/gitea/deployment.yaml
+    set:
+      image.rootless: false
+    asserts:
+      - equal:
+          path: spec.template.spec.securityContext.fsGroup
+          value: 1000
+  - it: run configure-gitea with UID 1000
+    template: templates/gitea/deployment.yaml
+    set:
+      image.rootless: false
+    asserts:
+      - equal:
+          path: spec.template.spec.initContainers[?(@.name == 'configure-gitea')].securityContext.runAsUser
+          value: 1000

unittests/deployment/security-context-ocp.yaml

@@ -0,0 +1,25 @@
+# $schema: https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
+suite: deployment template (security context)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: FS group not set
+    template: templates/gitea/deployment.yaml
+    set:
+      image.rootless: false
+      global.compatibility.openshift.adaptSecurityContext: force
+    asserts:
+      - notExists:
+          path: spec.template.spec.securityContext.fsGroup
+  - it: configure-gitea without runaAsUser
+    template: templates/gitea/deployment.yaml
+    set:
+      image.rootless: false
+      global.compatibility.openshift.adaptSecurityContext: force
+    asserts:
+      - notExists:
+          path: spec.template.spec.initContainers[?(@.name == 'configure-gitea')].securityContext.runAsUser

unittests/deployment/svc-configuration.yaml

@@ -58,4 +58,71 @@ tests:
           value: 22
       - equal:
           path: spec.ports[0].targetPort
-          value: 2222
+          value: ssh
+
+  - it: render service.ssh.loadBalancerClass if set and type is LoadBalancer
+    template: templates/gitea/ssh-svc.yaml
+    set:
+      service:
+        ssh:
+          loadBalancerClass: 'example.com/class'
+          type: LoadBalancer
+          loadBalancerIP: '1.2.3.4'
+          loadBalancerSourceRanges:
+            - '1.2.3.4/32'
+            - '5.6.7.8/32'
+    asserts:
+      - equal:
+          path: spec.loadBalancerClass
+          value: 'example.com/class'
+      - equal:
+          path: spec.loadBalancerIP
+          value: '1.2.3.4'
+      - equal:
+          path: spec.loadBalancerSourceRanges
+          value: ['1.2.3.4/32', '5.6.7.8/32']
+
+  - it: does not render when loadbalancer properties are set but type is not loadBalancerClass
+    template: templates/gitea/http-svc.yaml
+    set:
+      service:
+        http:
+          type: ClusterIP
+          loadBalancerClass: 'example.com/class'
+          loadBalancerIP: '1.2.3.4'
+          loadBalancerSourceRanges:
+            - '1.2.3.4/32'
+            - '5.6.7.8/32'
+    asserts:
+      - notExists:
+          path: spec.loadBalancerClass
+      - notExists:
+          path: spec.loadBalancerIP
+      - notExists:
+          path: spec.loadBalancerSourceRanges
+
+  - it: does not render loadBalancerClass by default even when type is LoadBalancer
+    template: templates/gitea/http-svc.yaml
+    set:
+      service:
+        http:
+          type: LoadBalancer
+          loadBalancerIP: '1.2.3.4'
+    asserts:
+      - notExists:
+          path: spec.loadBalancerClass
+      - equal:
+          path: spec.loadBalancerIP
+          value: '1.2.3.4'
+
+  - it: both ssh and http services exist
+    templates:
+      - templates/gitea/ssh-svc.yaml
+      - templates/gitea/http-svc.yaml
+    asserts:
+      - matchRegex:
+          path: metadata.name
+          pattern: '^gitea-unittests-forgejo-(?:ssh|http)$'
+      - matchRegex:
+          path: spec.ports[0].name
+          pattern: '^(?:ssh|http)$'

unittests/pvc/pvc-configuration.yaml

@@ -0,0 +1,19 @@
+suite: PVC template
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/pvc.yaml
+tests:
+  - it: Storage Class using TPL
+    set:
+      global.persistence.storageClass: 'storage-class'
+      persistence.enabled: true
+      persistence.create: true
+      persistence.storageClass: '{{ .Values.global.persistence.storageClass }}'
+    asserts:
+      - isKind:
+          of: PersistentVolumeClaim
+      - equal:
+          path: spec.storageClassName
+          value: 'storage-class'

unittests/values-conflicting-checks.yaml

@@ -0,0 +1,14 @@
+suite: Values conflicting checks
+release:
+  name: gitea-unittests
+  namespace: testing
+tests:
+  - it: fails when trying to configure redis and redis-cluster the same time
+    set:
+      redis-cluster:
+        enabled: true
+      redis:
+        enabled: true
+    asserts:
+      - failedTemplate:
+          errorMessage: redis and redis-cluster cannot be enabled at the same time. Please only choose one.

values.yaml

@@ -20,6 +20,10 @@ global:
   #   hostnames:
   #   - example.com
 
+## @param namespaceOverride String to fully override common.names.namespace
+##
+namespaceOverride: ''
+
 ## @param replicaCount number of replicas for the deployment
 replicaCount: 1
 
@@ -97,7 +101,7 @@ podDisruptionBudget: {}
 service:
   ## @param service.http.type Kubernetes service type for web traffic
   ## @param service.http.port Port number for web traffic
-  ## @param service.http.clusterIP ClusterIP setting for http autosetup for deployment is None
+  ## @param service.http.clusterIP ClusterIP setting for http autosetup for deployment
   ## @param service.http.loadBalancerIP LoadBalancer IP setting
   ## @param service.http.nodePort NodePort for http service
   ## @param service.http.externalTrafficPolicy If `service.http.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation
@@ -107,10 +111,11 @@ service:
   ## @param service.http.loadBalancerSourceRanges Source range filter for http loadbalancer
   ## @param service.http.annotations HTTP service annotations
   ## @param service.http.labels HTTP service additional labels
+  ## @param service.http.loadBalancerClass Loadbalancer class
   http:
     type: ClusterIP
     port: 3000
-    clusterIP: None
+    clusterIP:
     loadBalancerIP:
     nodePort:
     externalTrafficPolicy:
@@ -120,9 +125,10 @@ service:
     loadBalancerSourceRanges: []
     annotations: {}
     labels: {}
+    loadBalancerClass:
   ## @param service.ssh.type Kubernetes service type for ssh traffic
   ## @param service.ssh.port Port number for ssh traffic
-  ## @param service.ssh.clusterIP ClusterIP setting for ssh autosetup for deployment is None
+  ## @param service.ssh.clusterIP ClusterIP setting for ssh autosetup for deployment
   ## @param service.ssh.loadBalancerIP LoadBalancer IP setting
   ## @param service.ssh.nodePort NodePort for ssh service
   ## @param service.ssh.externalTrafficPolicy If `service.ssh.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation
@@ -133,10 +139,11 @@ service:
   ## @param service.ssh.loadBalancerSourceRanges Source range filter for ssh loadbalancer
   ## @param service.ssh.annotations SSH service annotations
   ## @param service.ssh.labels SSH service additional labels
+  ## @param service.ssh.loadBalancerClass Loadbalancer class
   ssh:
     type: ClusterIP
     port: 22
-    clusterIP: None
+    clusterIP:
     loadBalancerIP:
     nodePort:
     externalTrafficPolicy:
@@ -147,6 +154,7 @@ service:
     loadBalancerSourceRanges: []
     annotations: {}
     labels: {}
+    loadBalancerClass:
 
 ## @section Ingress
 ## @param ingress.enabled Enable ingress
@@ -156,7 +164,6 @@ service:
 ## @param ingress.hosts[0].paths[0].path Default Ingress path
 ## @param ingress.hosts[0].paths[0].pathType Ingress path type
 ## @param ingress.tls Ingress tls settings
-## @extra ingress.apiVersion Specify APIVersion of ingress object. Mostly would only be used for argocd.
 ingress:
   enabled: false
   # className: nginx
@@ -174,9 +181,48 @@ ingress:
   #  - secretName: chart-example-tls
   #    hosts:
   #      - git.example.com
-  # Mostly for argocd or any other CI that uses `helm template | kubectl apply` or similar
-  # If helm doesn't correctly detect your ingress API version you can set it here.
-  # apiVersion: networking.k8s.io/v1
+
+## @section Route
+## @param route.enabled Enable route
+## @param route.annotations Route annotations
+## @param route.host Host to use for the route (will be assigned automatically by OKD / OpenShift is not defined)
+## @param route.wildcardPolicy Wildcard policy if any for the route, currently only 'Subdomain' or 'None' is allowed.
+## @param route.tls.termination termination type (see [OKD documentation](https://docs.okd.io/latest/rest_api/network_apis/route-route-openshift-io-v1.html#spec-tls))
+## @param route.tls.insecureEdgeTerminationPolicy the desired behavior for insecure connections to a route (e.g. with http)
+## @param route.tls.existingSecret the name of a predefined secret of type kubernetes.io/tls with both key (tls.crt and tls.key) set accordingly (if defined attributes 'certificate', 'caCertificate' and 'privateKey' are ignored)
+## @param route.tls.certificate PEM encoded single certificate
+## @param route.tls.privateKey PEM encoded private key
+## @param route.tls.caCertificate PEM encoded CA certificate or chain that issued the certificate
+## @param route.tls.destinationCACertificate PEM encoded CA certificate used to verify the authenticity of final end point when 'termination' is set to 'passthrough' (ignored otherwise)
+route:
+  enabled: false
+  annotations: {}
+  host:
+  wildcardPolicy:
+  tls:
+    termination: edge
+    insecureEdgeTerminationPolicy: Redirect
+    existingSecret:
+    certificate:
+    # certificate: |-
+    # -----BEGIN CERTIFICATE-----
+    # ...
+    # -----END CERTIFICATE-----
+    privateKey:
+    # privateKey: |-
+    # -----BEGIN PRIVATE KEY-----
+    # ...
+    # -----END PRIVATE KEY-----
+    caCertificate:
+    # caCertificate: |-
+    # -----BEGIN CERTIFICATE-----
+    # ...
+    # -----END CERTIFICATE-----
+    destinationCACertificate:
+    # destinationCACertificate: |-
+    # -----BEGIN CERTIFICATE-----
+    # ...
+    # -----END CERTIFICATE-----
 
 ## @section deployment
 #
@@ -323,7 +369,7 @@ initContainers:
 #
 ## @param signing.enabled Enable commit/action signing
 ## @param signing.gpgHome GPG home directory
-## @param signing.privateKey Inline private gpg key for signed internal Git activity
+## @param signing.privateKey Inline private GPG key for signed internal Git activity
 ## @param signing.existingSecret Use an existing secret to store the value of `signing.privateKey`
 signing:
   enabled: false
@@ -342,19 +388,23 @@ gitea:
   ## @param gitea.admin.existingSecret Use an existing secret to store admin user credentials
   ## @param gitea.admin.password Password for the Forgejo admin user
   ## @param gitea.admin.email Email for the Forgejo admin user
+  ## @param gitea.admin.passwordMode Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated
   admin:
     # existingSecret: gitea-admin-secret
     existingSecret:
     username: gitea_admin
     password: r8sA8CPHD9!bt6d
     email: 'gitea@local.domain'
+    passwordMode: keepUpdated
 
   ## @param gitea.metrics.enabled Enable Forgejo metrics
   ## @param gitea.metrics.serviceMonitor.enabled Enable Forgejo metrics service monitor
+  ## @param gitea.metrics.serviceMonitor.namespace Namespace in which Prometheus is running
   metrics:
     enabled: false
     serviceMonitor:
       enabled: false
+      namespace: ''
       #  additionalLabels:
       #    prometheus-release: prom1
 
@@ -410,12 +460,10 @@ gitea:
 
   ## @section `app.ini` overrides
   ## @descriptionStart
-  ##
   ## Every value described in the [Cheat
   ## Sheet](https://forgejo.org/docs/latest/admin/config-cheat-sheet/) can be
   ## set as a Helm value. Configuration sections map to (lowercased) YAML
   ## blocks, while the keys themselves remain in all caps.
-  ##
   ## @descriptionEnd
   config:
     # values in the DEFAULT section
@@ -585,7 +633,8 @@ gitea:
   ## @section ReadinessProbe
   #
   ## @param gitea.readinessProbe.enabled Enable readiness probe
-  ## @param gitea.readinessProbe.tcpSocket.port Port to probe for readiness
+  ## @param gitea.readinessProbe.httpGet.path Path to probe for readiness
+  ## @param gitea.readinessProbe.httpGet.port Port to probe for readiness
   ## @param gitea.readinessProbe.initialDelaySeconds Initial delay before readiness probe is initiated
   ## @param gitea.readinessProbe.timeoutSeconds Timeout for readiness probe
   ## @param gitea.readinessProbe.periodSeconds Period for readiness probe
@@ -594,7 +643,8 @@ gitea:
   # Modify the readiness probe for your needs or completely disable it by commenting out.
   readinessProbe:
     enabled: true
-    tcpSocket:
+    httpGet:
+      path: /api/healthz
       port: http
     initialDelaySeconds: 5
     timeoutSeconds: 1
@@ -625,10 +675,11 @@ gitea:
 ## @section Redis® Cluster
 ## @descriptionStart
 ## Redis® Cluster is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/redis-cluster) if enabled in the values.
-## Complete Configuration can be taken from their website.
+## Full configuration options are available on their website.
+## Redis cluster and [Redis](#redis) cannot be enabled at the same time.
 ## @descriptionEnd
 #
-## @param redis-cluster.enabled Enable redis
+## @param redis-cluster.enabled Enable redis cluster
 ## @param redis-cluster.usePassword Whether to use password authentication
 ## @param redis-cluster.cluster.nodes Number of redis cluster master nodes
 ## @param redis-cluster.cluster.replicas Number of redis cluster master node replicas
@@ -639,10 +690,30 @@ redis-cluster:
     nodes: 3 # default: 6
     replicas: 0 # default: 1
 
+## @section Redis®
+## @descriptionStart
+## Redis® is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/redis) if enabled in the values.
+## Full configuration options are available on their website.
+## Redis and [Redis cluster](#redis-cluster) cannot be enabled at the same time.
+## @descriptionEnd
+#
+## @param redis.enabled Enable redis standalone or replicated
+## @param redis.architecture Whether to use standalone or replication
+## @param redis.global.redis.password Required password
+## @param redis.master.count Number of Redis master instances to deploy
+redis:
+  enabled: false
+  architecture: standalone
+  global:
+    redis:
+      password: changeme
+  master:
+    count: 1
+
 ## @section PostgreSQL HA
 ## @descriptionStart
 ## PostgreSQL HA is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/postgresql-ha) if enabled in the values.
-## Complete Configuration can be taken from their website.
+## Full configuration options are available on their website.
 ## @descriptionEnd
 #
 ## @param postgresql-ha.enabled Enable PostgreSQL HA chart
@@ -678,7 +749,7 @@ postgresql-ha:
 ## @section PostgreSQL
 ## @descriptionStart
 ## PostgreSQL is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) if enabled in the values.
-## Complete Configuration can be taken from their website.
+## Full configuration options are available on their website.
 ## @descriptionEnd
 #
 ## @param postgresql.enabled Enable PostgreSQL
@@ -705,8 +776,8 @@ postgresql:
 # By default, removed or moved settings that still remain in a user defined values.yaml will cause Helm to fail running the install/update.
 # Set it to false to skip this basic validation check.
 ## @section Advanced
-## @param checkDeprecation Set it to false to skip this basic validation check.
-## @param test.enabled Set it to false to disable test-connection Pod.
+## @param checkDeprecation Whether to run this basic validation check.
+## @param test.enabled Whether to use test-connection Pod.
 ## @param test.image.name Image name for the wget container used in the test-connection Pod.
 ## @param test.image.tag Image tag for the wget container used in the test-connection Pod.
 checkDeprecation: true
@@ -716,6 +787,6 @@ test:
     name: busybox
     tag: latest
 
-## @param extraDeploy Array of extra objects to deploy with the release
+## @param extraDeploy Array of extra objects to deploy with the release.
 ##
 extraDeploy: []