chore(deps): update pnpm to v10.7.0 (main) (#1168)

Reviewed-on: https://code.forgejo.org/forgejo-helm/forgejo-helm/pulls/1168
Co-authored-by: Renovate Bot <bot@kriese.eu>
Co-committed-by: Renovate Bot <bot@kriese.eu>

.forgejo/actions/setup-k3s/action.yml

@@ -0,0 +1,25 @@
+# action.yml
+name: setup-k3s
+description: 'setup k3s'
+
+inputs:
+  version:
+    description: 'k3s version'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - shell: bash
+      name: install k3s
+      run: |
+        curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=${INPUT_VERSION} K3S_KUBECONFIG_MODE=640 sh -s - server
+        echo "KUBECONFIG=/etc/rancher/k3s/k3s.yaml" >> $GITHUB_ENV
+    - shell: bash
+      name: check k3s
+      run: kubectl cluster-info
+    - shell: bash
+      name: wait for nodes ready
+      run: |
+        sleep 3
+        kubectl wait --for=condition=Ready nodes --all --timeout=600s

.forgejo/actions/setup-node/action.yml

@@ -5,11 +5,15 @@ description: 'setup node'
 runs:
   using: 'composite'
   steps:
-    - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+    - name: Setup pnpm
+      uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
+      with:
+        standalone: true
+
+    - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
       with:
         node-version-file: .node-version
-        # cache: 'npm'
-    - shell: bash
-      run: corepack enable
+        cache: 'pnpm'
+
     - shell: bash
       run: pnpm install --frozen-lockfile

.forgejo/renovate/k3s.json

@@ -0,0 +1,57 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "packageRules": [
+    {
+      "description": "Separate minor and patch updates for k3s",
+      "matchDatasources": ["github-releases"],
+      "matchPackageNames": ["k3s-io/k3s"],
+      "separateMultipleMinor": true,
+      "separateMinorPatch": true,
+      "branchTopic": "{{{depNameSanitized}}}{{#if isMinor}}-minor{{/if}}-{{{newMajor}}}{{#if isPatch}}.{{{newMinor}}}{{/if}}.x{{#if isLockfileUpdate}}-lockfile{{/if}}",
+      "commitMessageSuffix": "{{#if isMinor}}(minor){{/if}}{{#if isPatch}}(patch){{/if}}"
+    },
+    {
+      "description": "No automerge for k3s major and minor updates",
+      "matchDatasources": ["github-releases"],
+      "matchPackageNames": ["k3s-io/k3s"],
+      "matchUpdateTypes": ["major", "minor"],
+      "automerge": false
+    },
+    {
+      "description": "Group k3s patch updates",
+      "matchDatasources": ["github-releases"],
+      "matchPackageNames": ["k3s-io/k3s"],
+      "matchUpdateTypes": ["patch"],
+      "groupName": "k3s"
+    },
+    {
+      "description": "Disable k3s major and minor updates for old versions",
+      "matchDatasources": ["github-releases"],
+      "matchFileNames": [".forgejo/workflows/**"],
+      "matchPackageNames": ["k3s-io/k3s"],
+      "matchUpdateTypes": ["major", "minor"],
+      "matchCurrentValue": "!/^v1.32/",
+      "enabled": false
+    }
+  ],
+  "customDatasources": {
+    "k3s": {
+      "defaultRegistryUrlTemplate": "https://update.k3s.io/v1-release/channels",
+      "transformTemplates": [
+        "($isVersion:=function($name){$contains($name,/^v\\d+.\\d+$/)};{\"releases\":[data[$isVersion(name)].{\"version\":latest}],\"sourceUrl\":\"https://github.com/k3s-io/k3s\",\"homepage\":\"https://k3s.io/\"})"
+      ]
+    }
+  },
+  "customManagers": [
+    {
+      "customType": "regex",
+      "fileMatch": [".forgejo/renovate/k3s.json"],
+      "matchStrings": [
+        "matchCurrentValue\": \"!\\/^v(?<currentValue>\\d+\\.\\d+)\\/"
+      ],
+      "depNameTemplate": "k3s",
+      "versioningTemplate": "npm",
+      "datasourceTemplate": "custom.k3s"
+    }
+  ]
+}

.forgejo/workflows/build.yml

@@ -5,19 +5,20 @@ on:
   push:
     branches:
       - main
-      - release/**
+      - maint/**
     tags:
       - v*
+  workflow_dispatch:
 
 permissions:
   contents: read
 
 env:
-  HELM_VERSION: v3.14.4 # renovate: datasource=github-releases depName=helm packageName=helm/helm
-  HELM_UNITTEST_VERSION: v0.4.4 # renovate: datasource=github-releases depName=helm-unittest packageName=helm-unittest/helm-unittest
-  HELM_CHART_TESTING_VERSION: v3.10.1 # renovate: datasource=github-releases depName=chart-testing packageName=helm/chart-testing
-  KIND_VERSION: v0.22.0 # renovate: datasource=github-releases depName=kind packageName=kubernetes-sigs/kind
-  KUBECTL_VERSION: v1.30.0 # renovate: datasource=github-releases depName=kubectl packageName=kubernetes/kubernetes
+  HELM_VERSION: v3.17.2 # renovate: datasource=github-releases depName=helm packageName=helm/helm
+  HELM_UNITTEST_VERSION: v0.7.2 # renovate: datasource=github-releases depName=helm-unittest packageName=helm-unittest/helm-unittest
+  HELM_CHART_TESTING_VERSION: v3.12.0 # renovate: datasource=github-releases depName=chart-testing packageName=helm/chart-testing
+  KUBECTL_VERSION: v1.32.3 # renovate: datasource=github-releases depName=kubectl packageName=kubernetes/kubernetes
+  CT_GITHUB_GROUPS: true
 
 jobs:
   lint-node:
@@ -25,9 +26,11 @@ jobs:
     steps:
       - run: cat /etc/os-release
 
-      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           show-progress: false
+          fetch-depth: 0 # Important for changelog
+          filter: blob:none # We don't need all blobs
 
       - uses: ./.forgejo/actions/setup
       - uses: ./.forgejo/actions/setup-node
@@ -37,6 +40,10 @@ jobs:
       - run: make readme
       - run: git diff --exit-code --name-only README.md
 
+      - name: changelog
+        run: |
+          pnpm changelog ${{ github.ref_type == 'tag' && 'true' || '' }}
+
   lint-helm:
     runs-on: docker
     steps:
@@ -44,7 +51,7 @@ jobs:
 
       - run: ps axf
 
-      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           show-progress: false
           fetch-depth: 0
@@ -53,12 +60,12 @@ jobs:
       - uses: ./.forgejo/actions/setup
 
       - name: install chart-testing
-        uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
         with:
           version: ${{ env.HELM_CHART_TESTING_VERSION }}
 
       - name: install helm
-        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
         with:
           version: ${{ env.HELM_VERSION }}
 
@@ -74,20 +81,27 @@ jobs:
       - run: ct lint --config tools/ct.yml --charts .
 
   e2e:
+    needs:
+      - lint-node
+      - lint-helm
     runs-on: k8s
 
     strategy:
       matrix:
-        k8s:
-          # from https://hub.docker.com/r/kindest/node/tags
-          - v1.27.11 # renovate: kindest
-          - v1.28.7 # renovate: kindest
-          - v1.29.2 # renovate: kindest
+        k3s:
+          # https://github.com/k3s-io/k3s/branches
+          # oldest supported version
+          - v1.28.15+k3s1 # renovate: k3s
+          # https://github.com/k3s-io/k3s/blob/master/channel.yaml#L3-L4
+          # stable version
+          - v1.31.6+k3s1 # renovate: k3s
+          # newest version
+          - v1.32.2+k3s1 # renovate: k3s
 
     steps:
       - run: cat /etc/os-release
 
-      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           show-progress: false
           fetch-depth: 0
@@ -96,34 +110,28 @@ jobs:
       - uses: ./.forgejo/actions/setup
 
       - name: install helm
-        uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+        uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
         with:
           version: ${{ env.HELM_VERSION }}
 
       - name: Install chart-testing
-        # TODO: pin to version when this is released: https://github.com/helm/chart-testing-action/pull/137
-        uses: helm/chart-testing-action@af96d800b1be6aab4e5770afe641ba93d52e3c8d # main
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
         with:
           version: ${{ env.HELM_CHART_TESTING_VERSION }}
 
-      - uses: ./.forgejo/actions/setup-docker
-
-      - name: Create kind cluster
-        uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
+      - uses: ./.forgejo/actions/setup-k3s
         with:
-          node_image: kindest/node:${{ matrix.k8s }}
-          kubectl_version: ${{ env.KUBECTL_VERSION }}
-          version: ${{ env.KIND_VERSION }}
+          version: ${{ matrix.k3s }}
 
       - run: kubectl get no -o wide
 
       - name: install chart
-        uses: https://github.com/nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0
+        uses: https://github.com/nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
         with:
           timeout_minutes: 15
           max_attempts: 3
           retry_on: error
-          retry_wait_seconds: 60
+          retry_wait_seconds: 120
           polling_interval_seconds: 5
           command: ct install --config tools/ct.yml --charts .
 
@@ -161,7 +169,7 @@ jobs:
     if: ${{ github.ref_type == 'tag' }}
 
     steps:
-      - uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           show-progress: false
           fetch-depth: 0 # Important for changelog
@@ -171,7 +179,7 @@ jobs:
       - uses: ./.forgejo/actions/setup-node
 
       - name: install helm
-        uses: https://github.com/azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
+        uses: https://github.com/azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 # v4.3.0
         with:
           version: ${{ env.HELM_VERSION }}
 
@@ -182,6 +190,7 @@ jobs:
         run: |
           echo ${CODEBERG_TOKEN} | helm registry login -u viceice --password-stdin codeberg.org/forgejo-contrib
           echo ${FORGEJO_TOKEN} | helm registry login -u viceice --password-stdin code.forgejo.org/forgejo-contrib
+          echo ${FORGEJO_TOKEN} | helm registry login -u viceice --password-stdin code.forgejo.org/forgejo-helm
         env:
           CODEBERG_TOKEN: ${{secrets.API_TOKEN}}
           FORGEJO_TOKEN: ${{secrets.FORGEJO_API_TOKEN}}
@@ -190,6 +199,7 @@ jobs:
         run: |
           helm push tmp/forgejo-${GITHUB_REF_NAME#v}.tgz oci://codeberg.org/forgejo-contrib
           helm push tmp/forgejo-${GITHUB_REF_NAME#v}.tgz oci://code.forgejo.org/forgejo-contrib
+          helm push tmp/forgejo-${GITHUB_REF_NAME#v}.tgz oci://code.forgejo.org/forgejo-helm
 
       - name: publish forgejo release
         run: pnpm forgejo:release

.forgejo/workflows/mirror.yml

@@ -0,0 +1,26 @@
+on:
+  schedule:
+    - cron: '@hourly'
+
+  push:
+    branches:
+      - 'main'
+
+  workflow_dispatch:
+
+jobs:
+  mirror:
+    runs-on: docker
+    steps:
+      - name: git mirror branches {main,maint/*] & tags
+        run: |
+          git init --bare .
+          git remote add origin https://code.forgejo.org/${{ env.GITHUB_REPOSITORY }}
+          git fetch origin refs/heads/main:refs/mirror/main --tags
+          git ls-remote origin refs/heads/main/* | while read sha full_ref ; do
+            ref=${full_ref#refs/heads/}
+            git fetch origin $full_ref:refs/mirror/$ref
+          done
+          git push --force https://any:$CODEBERG_TOKEN@codeberg.org/forgejo-contrib/forgejo-helm refs/mirror/*:refs/heads/* --tags
+        env:
+          CODEBERG_TOKEN: ${{secrets.CODEBERG_TOKEN}}

.node-version

@@ -1 +1 @@
-20.12.2
+22.14.0

.vscode/settings.json

@@ -4,7 +4,7 @@
       ".github/workflows/*",
       ".forgejo/workflows/*"
     ],
-    "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.4.4/schema/helm-testsuite.json": [
+    "https://raw.githubusercontent.com/helm-unittest/helm-unittest/v0.7.2/schema/helm-testsuite.json": [
       "/unittests/**/*.yaml"
     ]
   },

Chart.lock

@@ -1,12 +1,18 @@
 dependencies:
+- name: common
+  repository: oci://ghcr.io/visualon/bitnamicharts
+  version: 2.30.0
 - name: postgresql
-  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 15.2.5
+  repository: oci://ghcr.io/visualon/bitnamicharts
+  version: 16.5.6
 - name: postgresql-ha
-  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 14.0.5
+  repository: oci://ghcr.io/visualon/bitnamicharts
+  version: 15.3.8
 - name: redis-cluster
-  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 10.0.2
-digest: sha256:9d09fe6921721c807217899dea60fb8f4ba2f3571475bb27c70efef1d7906e21
-generated: "2024-04-22T12:01:42.540957611Z"
+  repository: oci://ghcr.io/visualon/bitnamicharts
+  version: 11.4.6
+- name: redis
+  repository: oci://ghcr.io/visualon/bitnamicharts
+  version: 20.11.4
+digest: sha256:a9c9f0779663336dd22ca4896f22bb64427e28f20aa567aee2f18474f8e31a23
+generated: "2025-03-26T15:31:33.532188569Z"

Chart.yaml

@@ -3,8 +3,8 @@ name: forgejo
 description: Forgejo Helm chart for Kubernetes
 type: application
 version: 0.0.0
-appVersion: 1.21.11-1
-icon: https://design.codeberg.org/logo-kit/icon.svg
+appVersion: 10.0.3
+icon: https://code.forgejo.org/forgejo/forgejo/raw/branch/forgejo/assets/logo.svg
 home: https://forgejo.org/
 
 keywords:
@@ -16,28 +16,41 @@ keywords:
   - gitea
   - gogs
 sources:
-  - https://codeberg.org/forgejo-contrib/forgejo-helm
+  - https://code.forgejo.org/forgejo-helm/forgejo-helm
   - https://codeberg.org/forgejo/forgejo
 maintainers:
   - name: Michael Kriese
     email: michael.kriese@visualon.de
 
-# Bitnami charts are served from Docker Hub
+# Bitnami charts are served from ghcr mirror because of rate limiting on Docker Hub
 # https://hub.docker.com/u/bitnamicharts
 # https://blog.bitnami.com/2023/01/bitnami-helm-charts-available-as-oci.html
+# https://github.com/bitnami/charts/issues/30853
+# https://code.forgejo.org/forgejo-helm/forgejo-helm/issues/1045
 dependencies:
+  # https://github.com/bitnami/charts/blob/main/bitnami/common/Chart.yaml
+  - name: common
+    repository: oci://ghcr.io/visualon/bitnamicharts
+    tags:
+      - bitnami-common
+    version: 2.30.0
   # https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml
   - name: postgresql
-    repository: oci://registry-1.docker.io/bitnamicharts
-    version: 15.2.5
+    repository: oci://ghcr.io/visualon/bitnamicharts
+    version: 16.5.6
     condition: postgresql.enabled
   # https://github.com/bitnami/charts/blob/main/bitnami/postgresql-ha/Chart.yaml
   - name: postgresql-ha
-    repository: oci://registry-1.docker.io/bitnamicharts
-    version: 14.0.5
+    repository: oci://ghcr.io/visualon/bitnamicharts
+    version: 15.3.8
     condition: postgresql-ha.enabled
   # https://github.com/bitnami/charts/blob/main/bitnami/redis-cluster/Chart.yaml
   - name: redis-cluster
-    repository: oci://registry-1.docker.io/bitnamicharts
-    version: 10.0.2
+    repository: oci://ghcr.io/visualon/bitnamicharts
+    version: 11.4.6
     condition: redis-cluster.enabled
+  # https://github.com/bitnami/charts/blob/main/bitnami/redis/Chart.yaml
+  - name: redis
+    repository: oci://ghcr.io/visualon/bitnamicharts
+    version: 20.11.4
+    condition: redis.enabled

LICENSE

@@ -1,5 +1,6 @@
 MIT License
 
+Copyright (c) 2023 The Forgejo Authors
 Copyright (c) 2020 The Gitea Authors
 Copyright (c) 2020 NOVUM-RGI
 Copyright (c) 2019 - 2020 Charlie Drage

Makefile

@@ -9,7 +9,7 @@ readme: prepare-environment
 
 .PHONY: unittests
 unittests:
-	helm unittest --strict -f 'unittests/**/*.yaml' -f 'unittests/dependency-major-image-check.yaml' ./
+	helm unittest --strict -f 'unittests/**/*.yaml' ./
 
 .PHONY: helm
 update-helm-dependencies:

README.md

@@ -1,7 +1,5 @@
 # Forgejo Helm Chart <!-- omit from toc -->
 
-[![status-badge](https://ci.dachary.org/api/badges/forgejo-contrib/forgejo-helm/status.svg)](https://ci.dachary.org/forgejo-contrib/forgejo-helm)
-
 - [Introduction](#introduction)
 - [Update and versioning policy](#update-and-versioning-policy)
 - [Dependencies](#dependencies)
@@ -22,7 +20,6 @@
     - [User defined environment variables in app.ini](#user-defined-environment-variables-in-appini)
   - [External Database](#external-database)
   - [Ports and external url](#ports-and-external-url)
-  - [ClusterIP](#clusterip)
   - [SSH and Ingress](#ssh-and-ingress)
   - [SSH on crio based kubernetes cluster](#ssh-on-crio-based-kubernetes-cluster)
   - [Cache](#cache)
@@ -48,15 +45,23 @@
   - [Init](#init)
   - [Signing](#signing)
   - [Gitea](#gitea)
+  - [`app.ini` overrides](#appini-overrides)
   - [LivenessProbe](#livenessprobe)
   - [ReadinessProbe](#readinessprobe)
   - [StartupProbe](#startupprobe)
-  - [redis-cluster](#redis-cluster)
-  - [PostgreSQL-ha](#postgresql-ha)
+  - [Redis&reg; Cluster](#redis-cluster)
+  - [Redis&reg;](#redis)
+  - [PostgreSQL HA](#postgresql-ha)
   - [PostgreSQL](#postgresql)
   - [Advanced](#advanced)
 - [Contributing](#contributing)
 - [Upgrading](#upgrading)
+  - [To v11](#to-v11)
+  - [To v10](#to-v10)
+  - [To v9](#to-v9)
+  - [To v8](#to-v8)
+  - [To v7](#to-v7)
+  - [To v6](#to-v6)
 
 [Forgejo](https://forgejo.org/) is a community managed lightweight code hosting solution written in Go.
 It is published under the MIT license.
@@ -70,7 +75,7 @@ Additionally, this chart allows to provide LDAP and admin user configuration wit
 ## Update and versioning policy
 
 The Forgejo helm chart versioning does not follow Forgejo's versioning.
-The latest chart version can be looked up in <https://codeberg.org/forgejo-contrib/-/packages/container/forgejo/0.8.0> or in the [repository releases](https://codeberg.org/forgejo-contrib/forgejo-helm/releases).
+The latest chart version can be looked up in <https://code.forgejo.org/forgejo-helm/-/packages/container/forgejo> or in the [repository releases](https://code.forgejo.org/forgejo-helm/forgejo-helm/releases).
 
 The chart aims to follow Forgejo's releases closely.
 There might be times when the chart is behind the latest Forgejo release.
@@ -96,7 +101,8 @@ These dependencies are enabled by default:
 
 Alternatively, the following non-HA replacements are available:
 
-- PostgreSQL ([Bitnami PostgreSQL](<postgresql](https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml)>))
+- PostgreSQL ([Bitnami PostgreSQL](https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml))
+- Redis ([Bitnami Redis](https://github.com/bitnami/charts/blob/main/bitnami/redis/Chart.yaml))
 
 ### Dependency Versioning
 
@@ -115,19 +121,20 @@ Please double-check the image repository and available tags in the sub-chart:
 - [PostgreSQL-HA](https://hub.docker.com/r/bitnami/postgresql-repmgr/tags)
 - [PostgreSQL](https://hub.docker.com/r/bitnami/postgresql/tags)
 - [Redis Cluster](https://hub.docker.com/r/bitnami/redis-cluster/tags)
+- [Redis](https://hub.docker.com/r/bitnami/redis/tags)
 
 and look up the image tag which fits your needs on Dockerhub.
 
 ## Installing
 
 ```sh
-helm install forgejo oci://codeberg.org/forgejo-contrib/forgejo
+helm install forgejo oci://code.forgejo.org/forgejo-helm/forgejo
 ```
 
 In case you want to supply values, you can reference a `values.yaml` file:
 
 ```sh
-helm install forgejo -f values.yaml oci://codeberg.org/forgejo-contrib/forgejo
+helm install forgejo -f values.yaml oci://code.forgejo.org/forgejo-helm/forgejo
 ```
 
 When upgrading, please refer to the [Upgrading](#upgrading) section at the bottom of this document for major and breaking changes.
@@ -143,14 +150,23 @@ See the [HA Setup](docs/ha-setup.md) document for more details.
 ## Configuration
 
 Forgejo offers lots of configuration options.
-This is fully described in the [Cheat Sheet](https://forgejo.org/docs/latest/admin/config-cheat-sheet/).
+Every value described in the [Cheat Sheet](https://forgejo.org/docs/latest/admin/config-cheat-sheet/) can be set as a Helm value.
+Configuration sections map to (lowercased) YAML blocks, while the keys themselves remain in all caps.
 
 ```yaml
 gitea:
   config:
-    APP_NAME: 'Forgejo: With a cup of tea.'
+    # values in the DEFAULT section
+    # (https://forgejo.org/docs/latest/admin/config-cheat-sheet/#overall-default)
+    # are un-namespaced
+    #
+    APP_NAME: 'Forgejo: Git with a cup of tea'
+    #
+    # https://forgejo.org/docs/latest/admin/config-cheat-sheet/#repository-repository
     repository:
       ROOT: '~/gitea-repositories'
+    #
+    # https://forgejo.org/docs/latest/admin/config-cheat-sheet/#repository---pull-request-repositorypull-request
     repository.pull-request:
       WORK_IN_PROGRESS_PREFIXES: 'WIP:,[WIP]:'
 ```
@@ -160,14 +176,14 @@ gitea:
 This chart will set a few defaults in the Forgejo configuration based on the service and ingress settings.
 All defaults can be overwritten in `gitea.config`.
 
-INSTALL_LOCK is always set to true, since we want to configure Forgejo with this helm chart and everything is taken care of.
+INSTALL_LOCK is always set to true because the configuration in this helm chart makes any configuration via installer superfluous.
 
 _All default settings are made directly in the generated `app.ini`, not in the Values._
 
 #### Database defaults
 
-If a builtIn database is enabled the database configuration is set automatically.
-For example, PostgreSQL builtIn will appear in the `app.ini` as:
+If a database subchart is enabled, the database configuration is set automatically.
+For example, PostgreSQL will appear in the `app.ini` as:
 
 ```ini
 [database]
@@ -240,7 +256,7 @@ External tools such as `redis-cluster` or `memcached` handle these workloads muc
 
 If HA is not needed/desired, the following configurations can be used to deploy a single-pod Forgejo instance.
 
-1. For a production-ready single-pod Forgejo instance without external dependencies (using the chart dependency `postgresql`):
+1. For a production-ready single-pod Forgejo instance without external dependencies (using the chart dependency `postgresql` and `redis`):
 
    <details>
 
@@ -249,6 +265,8 @@ If HA is not needed/desired, the following configurations can be used to deploy
    ```yaml
    redis-cluster:
      enabled: false
+   redis:
+     enabled: true
    postgresql:
      enabled: true
    postgresql-ha:
@@ -261,12 +279,6 @@ If HA is not needed/desired, the following configurations can be used to deploy
      config:
        database:
          DB_TYPE: postgres
-       session:
-         PROVIDER: db
-       cache:
-         ADAPTER: memory
-       queue:
-         TYPE: level
        indexer:
          ISSUE_INDEXER_TYPE: bleve
          REPO_INDEXER_ENABLED: true
@@ -286,6 +298,8 @@ If HA is not needed/desired, the following configurations can be used to deploy
    ```yaml
    redis-cluster:
      enabled: false
+   redis:
+     enabled: false
    postgresql:
      enabled: false
    postgresql-ha:
@@ -367,7 +381,7 @@ stringData:
 #### User defined environment variables in app.ini
 
 Users are able to define their own environment variables, which are loaded into the containers.
-We also support to directly interact with the generated _app.ini_.
+We also support interacting directly with the generated _app.ini_.
 
 To inject self defined variables into the _app.ini_ a certain format needs to be honored.
 This is described in detail on the [env-to-ini](https://github.com/go-gitea/gitea/tree/main/contrib/environment-to-ini) page.
@@ -378,9 +392,10 @@ For example a database setting needs to have the following format:
 
 ```yaml
 gitea:
+  config:
+    database:
+      HOST: my.own.host
   additionalConfigFromEnvs:
-    - name: FORGEJO__DATABASE__HOST
-      value: my.own.host
     - name: FORGEJO__DATABASE__PASSWD
       valueFrom:
         secretKeyRef:
@@ -406,7 +421,7 @@ If an external database is used, no matter which type, make sure to set `postgre
 gitea:
   config:
     database:
-      DB_TYPE: mysql
+      DB_TYPE: mysql # supported values are mysql, postgres, mssql, sqlite3
       HOST: <mysql HOST>
       NAME: gitea
       USER: root
@@ -434,23 +449,6 @@ This helm chart automatically configures the clone urls to use the correct ports
 You can change these ports by hand using the `gitea.config` dict.
 However you should know what you're doing.
 
-### ClusterIP
-
-By default the `clusterIP` will be set to `None`, which is the default for headless services.
-However if you want to omit the clusterIP field in the service, use the following values:
-
-```yaml
-service:
-  http:
-    type: ClusterIP
-    port: 3000
-    clusterIP:
-  ssh:
-    type: ClusterIP
-    port: 22
-    clusterIP:
-```
-
 ### SSH and Ingress
 
 If you're using ingress and want to use SSH, keep in mind, that ingress is not able to forward SSH Ports.
@@ -460,7 +458,7 @@ You will need a LoadBalancer like `metallb` and a setting in your ssh service an
 service:
   ssh:
     annotations:
-      metallb.universe.tf/allow-shared-ip: test
+      metallb.io/allow-shared-ip: test
 ```
 
 ### SSH on crio based kubernetes cluster
@@ -533,8 +531,6 @@ postgresql:
 
 This chart enables you to create a default admin user.
 It is also possible to update the password for this user by upgrading or redeploying the chart.
-It is not possible to delete an admin user after it has been created.
-This has to be done in the ui.
 You cannot use `admin` as username.
 
 ```yaml
@@ -564,6 +560,22 @@ gitea:
     existingSecret: gitea-admin-secret
 ```
 
+To delete the admin user, set `username` or `password` to an empty value and delete the user in the UI.
+
+Whether you use the existing Secret or specify a username and password directly, there are three modes for how the admin user password is created or set.
+
+- `keepUpdated` (the default) will set the admin user password, and reset it to the defined value every time the pod is recreated.
+- `initialOnlyNoReset` will set the admin user password when creating it, but never try to update the password.
+- `initialOnlyRequireReset` will set the admin user password when creating it, never update it, and require that the password be changed at the initial login.
+
+These modes can be set like the following:
+
+```yaml
+gitea:
+  admin:
+    passwordMode: initialOnlyRequireReset
+```
+
 ### LDAP Settings
 
 Like the admin user the LDAP settings can be updated.
@@ -621,7 +633,7 @@ Affected options:
 
 Like the admin user, OAuth2 settings can be updated and disabled but not deleted.
 Deleting OAuth2 settings has to be done in the UI.
-All OAuth2 values, which are documented [here](https://forgejo.org/docs/latest/admin/command-line/#admin), are available.
+[All OAuth2 values](https://forgejo.org/docs/latest/admin/command-line/#admin-auth-add-oauth) are available.
 
 Multiple OAuth2 sources can be configured with additional OAuth list items.
 
@@ -660,14 +672,29 @@ gitea:
       existingSecret: gitea-oauth-secret
 ```
 
+### Compatibility with OCP (OKD or OpenShift)
+
+Normally OCP is automatically detected and the compatibility mode set accordingly. To enforce the OCP compatibility mode use the following configuration:
+
+```yaml
+global:
+  compatibility:
+    openshift:
+      adaptSecurityContext: force
+```
+
+An OCP route to access Forgejo can be enabled with the following config:
+
+```yaml
+route:
+  enabled: true
+```
+
 ## Configure commit signing
 
-When using the rootless image the gpg key folder is not persistent by default.
-If you consider using signed commits for internal Forgejo activities (e.g. initial commit), you'd need to provide a signing key.
-Prior to [PR186](https://gitea.com/gitea/helm-chart/pulls/186), imported keys had to be re-imported once the container got replaced by another.
-
-The mentioned PR introduced a new configuration object `signing` allowing you to configure prerequisites for commit signing.
-By default this section is disabled to maintain backwards compatibility.
+When using the rootless image, the GPG key folder is not persistent by default.
+If you want commits by Forgejo (e.g. initial commit) to be signed,
+you need to provide a signing key:
 
 ```yaml
 signing:
@@ -675,8 +702,10 @@ signing:
   gpgHome: /data/git/.gnupg
 ```
 
-Regardless of the used container image the `signing` object allows to specify a private gpg key.
-Either using the `signing.privateKey` to define the key inline, or refer to an existing secret containing the key data by using `signing.existingSecret`.
+By default this section is disabled to maintain backwards compatibility.
+
+Regardless of the used container image the `signing` object allows to specify a private GPG key.
+Either using the `signing.privateKey` to define the key inline, or referring to an existing secret containing the key data with `signing.existingSecret`.
 
 ```yaml
 apiVersion: v1
@@ -696,7 +725,7 @@ signing:
   existingSecret: custom-gitea-gpg-key
 ```
 
-To use the gpg key, Forgejo needs to be configured accordingly.
+To use the GPG key, Forgejo needs to be configured accordingly.
 A detailed description can be found in the [documentation](https://forgejo.org/docs/latest/admin/signing/#general-configuration).
 
 ## Metrics and profiling
@@ -802,7 +831,7 @@ Here's an examplary `values.yml` definition which makes use of a digest:
 
 ```yaml
 image:
-  registry: codeberg.org
+  registry: code.forgejo.org
   repository: forgejo/forgejo
   tag: 1.20.2-0
   digest: sha256:f597c14a403c2fdee9a62dae8bae29d6442f7b2cc85872cc9bb535a24cb1630e
@@ -819,7 +848,7 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus
     "fileMatch": ["values\\.ya?ml"],
     "matchStrings": ["(?<depName>forgejo\\/forgejo)\\n(?<indentation>\\s+)tag: (?<currentValue>[^@].*?)\\n\\s+digest: (?<currentDigest>sha256:[a-f0-9]+)"],
     "datasourceTemplate": "docker",
-    "packageNameTemplate": "codeberg.org/{{depName}}",
+    "packageNameTemplate": "code.forgejo.org/{{depName}}",
     "autoReplaceStringTemplate": "{{depName}}\n{{indentation}}tag: {{newValue}}\n{{indentation}}digest: {{#if newDigest}}{{{newDigest}}}{{else}}{{{currentDigest}}}{{/if}}"
   }
 ]
@@ -835,6 +864,7 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus
 | `global.imagePullSecrets` | global image pull secrets override; can be extended by `imagePullSecrets` | `[]`  |
 | `global.storageClass`     | global storage class override                                             | `""`  |
 | `global.hostAliases`      | global hostAliases which will be added to the pod's hosts files           | `[]`  |
+| `namespaceOverride`       | String to fully override common.names.namespace                           | `""`  |
 | `replicaCount`            | number of replicas for the deployment                                     | `1`   |
 
 ### strategy
@@ -849,10 +879,10 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus
 ### Image
 
 | Name                 | Description                                                                                                                                                      | Value              |
-| -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- |
-| `image.registry`     | image registry, e.g. gcr.io,docker.io                                                                                                                            | `codeberg.org`    |
+| -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------ |
+| `image.registry`     | image registry, e.g. gcr.io,docker.io                                                                                                                            | `code.forgejo.org` |
 | `image.repository`   | Image to start for this pod                                                                                                                                      | `forgejo/forgejo`  |
-| `image.tag`          | Visit: [Image tag](https://codeberg.org/forgejo/-/packages/container/forgejo/versions). Defaults to `appVersion` within Chart.yaml.                              | `""`              |
+| `image.tag`          | Visit: [Image tag](https://code.forgejo.org/forgejo/-/packages/container/forgejo/versions). Defaults to `appVersion` within Chart.yaml.                          | `""`               |
 | `image.digest`       | Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`                                                       | `""`               |
 | `image.pullPolicy`   | Image pull policy                                                                                                                                                | `IfNotPresent`     |
 | `image.rootless`     | Wether or not to pull the rootless version of Forgejo                                                                                                            | `true`             |
@@ -874,7 +904,7 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus
 | --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- |
 | `service.http.type`                     | Kubernetes service type for web traffic                                                                                                                                                              | `ClusterIP` |
 | `service.http.port`                     | Port number for web traffic                                                                                                                                                                          | `3000`      |
-| `service.http.clusterIP`                | ClusterIP setting for http autosetup for deployment is None                                                                                                                                          | `None`      |
+| `service.http.clusterIP`                | ClusterIP setting for http autosetup for deployment                                                                                                                                                  | `nil`       |
 | `service.http.loadBalancerIP`           | LoadBalancer IP setting                                                                                                                                                                              | `nil`       |
 | `service.http.nodePort`                 | NodePort for http service                                                                                                                                                                            | `nil`       |
 | `service.http.externalTrafficPolicy`    | If `service.http.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation                                                                                         | `nil`       |
@@ -884,9 +914,10 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus
 | `service.http.loadBalancerSourceRanges` | Source range filter for http loadbalancer                                                                                                                                                            | `[]`        |
 | `service.http.annotations`              | HTTP service annotations                                                                                                                                                                             | `{}`        |
 | `service.http.labels`                   | HTTP service additional labels                                                                                                                                                                       | `{}`        |
+| `service.http.loadBalancerClass`        | Loadbalancer class                                                                                                                                                                                   | `nil`       |
 | `service.ssh.type`                      | Kubernetes service type for ssh traffic                                                                                                                                                              | `ClusterIP` |
 | `service.ssh.port`                      | Port number for ssh traffic                                                                                                                                                                          | `22`        |
-| `service.ssh.clusterIP`                 | ClusterIP setting for ssh autosetup for deployment is None                                                                                                                                           | `None`      |
+| `service.ssh.clusterIP`                 | ClusterIP setting for ssh autosetup for deployment                                                                                                                                                   | `nil`       |
 | `service.ssh.loadBalancerIP`            | LoadBalancer IP setting                                                                                                                                                                              | `nil`       |
 | `service.ssh.nodePort`                  | NodePort for ssh service                                                                                                                                                                             | `nil`       |
 | `service.ssh.externalTrafficPolicy`     | If `service.ssh.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation                                                                                          | `nil`       |
@@ -897,11 +928,12 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus
 | `service.ssh.loadBalancerSourceRanges`  | Source range filter for ssh loadbalancer                                                                                                                                                             | `[]`        |
 | `service.ssh.annotations`               | SSH service annotations                                                                                                                                                                              | `{}`        |
 | `service.ssh.labels`                    | SSH service additional labels                                                                                                                                                                        | `{}`        |
+| `service.ssh.loadBalancerClass`         | Loadbalancer class                                                                                                                                                                                   | `nil`       |
 
 ### Ingress
 
 | Name                                 | Description          | Value             |
-| ------------------------------------ | --------------------------------------------------------------------------- | ----------------- |
+| ------------------------------------ | -------------------- | ----------------- |
 | `ingress.enabled`                    | Enable ingress       | `false`           |
 | `ingress.className`                  | Ingress class name   | `nil`             |
 | `ingress.annotations`                | Ingress annotations  | `{}`              |
@@ -909,7 +941,22 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus
 | `ingress.hosts[0].paths[0].path`     | Default Ingress path | `/`               |
 | `ingress.hosts[0].paths[0].pathType` | Ingress path type    | `Prefix`          |
 | `ingress.tls`                        | Ingress tls settings | `[]`              |
-| `ingress.apiVersion`                 | Specify APIVersion of ingress object. Mostly would only be used for argocd. |                   |
+
+### Route
+
+| Name                                      | Description                                                                                                                                                                                       | Value      |
+| ----------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
+| `route.enabled`                           | Enable route                                                                                                                                                                                      | `false`    |
+| `route.annotations`                       | Route annotations                                                                                                                                                                                 | `{}`       |
+| `route.host`                              | Host to use for the route (will be assigned automatically by OKD / OpenShift is not defined)                                                                                                      | `nil`      |
+| `route.wildcardPolicy`                    | Wildcard policy if any for the route, currently only 'Subdomain' or 'None' is allowed.                                                                                                            | `nil`      |
+| `route.tls.termination`                   | termination type (see [OKD documentation](https://docs.okd.io/latest/rest_api/network_apis/route-route-openshift-io-v1.html#spec-tls))                                                            | `edge`     |
+| `route.tls.insecureEdgeTerminationPolicy` | the desired behavior for insecure connections to a route (e.g. with http)                                                                                                                         | `Redirect` |
+| `route.tls.existingSecret`                | the name of a predefined secret of type kubernetes.io/tls with both key (tls.crt and tls.key) set accordingly (if defined attributes 'certificate', 'caCertificate' and 'privateKey' are ignored) | `nil`      |
+| `route.tls.certificate`                   | PEM encoded single certificate                                                                                                                                                                    | `nil`      |
+| `route.tls.privateKey`                    | PEM encoded private key                                                                                                                                                                           | `nil`      |
+| `route.tls.caCertificate`                 | PEM encoded CA certificate or chain that issued the certificate                                                                                                                                   | `nil`      |
+| `route.tls.destinationCACertificate`      | PEM encoded CA certificate used to verify the authenticity of final end point when 'termination' is set to 'passthrough' (ignored otherwise)                                                      | `nil`      |
 
 ### deployment
 
@@ -974,28 +1021,84 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus
 | ------------------------ | ----------------------------------------------------------------- | ------------------ |
 | `signing.enabled`        | Enable commit/action signing                                      | `false`            |
 | `signing.gpgHome`        | GPG home directory                                                | `/data/git/.gnupg` |
-| `signing.privateKey`     | Inline private gpg key for signed Forgejo actions                 | `""`               |
+| `signing.privateKey`     | Inline private GPG key for signed internal Git activity           | `""`               |
 | `signing.existingSecret` | Use an existing secret to store the value of `signing.privateKey` | `""`               |
 
 ### Gitea
 
 | Name                                     | Description                                                                                                                   | Value                |
-| -------------------------------------- | --------------------------------------------------------------------------- | -------------------- |
+| ---------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | -------------------- |
 | `gitea.admin.username`                   | Username for the Forgejo admin user                                                                                           | `gitea_admin`        |
 | `gitea.admin.existingSecret`             | Use an existing secret to store admin user credentials                                                                        | `nil`                |
 | `gitea.admin.password`                   | Password for the Forgejo admin user                                                                                           | `r8sA8CPHD9!bt6d`    |
 | `gitea.admin.email`                      | Email for the Forgejo admin user                                                                                              | `gitea@local.domain` |
+| `gitea.admin.passwordMode`               | Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated | `keepUpdated`        |
 | `gitea.metrics.enabled`                  | Enable Forgejo metrics                                                                                                        | `false`              |
 | `gitea.metrics.serviceMonitor.enabled`   | Enable Forgejo metrics service monitor                                                                                        | `false`              |
+| `gitea.metrics.serviceMonitor.namespace` | Namespace in which Prometheus is running                                                                                      | `""`                 |
 | `gitea.ldap`                             | LDAP configuration                                                                                                            | `[]`                 |
 | `gitea.oauth`                            | OAuth configuration                                                                                                           | `[]`                 |
-| `gitea.config.server.SSH_PORT`         | SSH port for rootlful Forgejo image                                         | `22`                 |
-| `gitea.config.server.SSH_LISTEN_PORT`  | SSH port for rootless Forgejo image                                         | `2222`               |
 | `gitea.additionalConfigSources`          | Additional configuration from secret or configmap                                                                             | `[]`                 |
 | `gitea.additionalConfigFromEnvs`         | Additional configuration sources from environment variables                                                                   | `[]`                 |
 | `gitea.podAnnotations`                   | Annotations for the Forgejo pod                                                                                               | `{}`                 |
 | `gitea.ssh.logLevel`                     | Configure OpenSSH's log level. Only available for root-based Forgejo image.                                                   | `INFO`               |
 
+### `app.ini` overrides
+
+Every value described in the [Cheat
+Sheet](https://forgejo.org/docs/latest/admin/config-cheat-sheet/) can be
+set as a Helm value. Configuration sections map to (lowercased) YAML
+blocks, while the keys themselves remain in all caps.
+
+| Name                                 | Description                                                                                                                                    | Value                               |
+| ------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- |
+| `gitea.config.APP_NAME`              | Application name, used in the page title                                                                                                       | `Forgejo: Beyond coding. We forge.` |
+| `gitea.config.RUN_MODE`              | Application run mode, affects performance and debugging: `dev` or `prod`                                                                       | `prod`                              |
+| `gitea.config.repository`            | General repository settings                                                                                                                    | `{}`                                |
+| `gitea.config.cors`                  | Cross-origin resource sharing settings                                                                                                         | `{}`                                |
+| `gitea.config.ui`                    | User interface settings                                                                                                                        | `{}`                                |
+| `gitea.config.markdown`              | Markdown parser settings                                                                                                                       | `{}`                                |
+| `gitea.config.server`                | General server settings                                                                                                                        | `{}`                                |
+| `gitea.config.database`              | Database configuration (only necessary with an [externally managed DB](https://code.forgejo.org/forgejo-helm/forgejo-helm#external-database)). | `{}`                                |
+| `gitea.config.indexer`               | Settings for what content is indexed and how                                                                                                   | `{}`                                |
+| `gitea.config.queue`                 | Job queue configuration                                                                                                                        | `{}`                                |
+| `gitea.config.admin`                 | Admin user settings                                                                                                                            | `{}`                                |
+| `gitea.config.security`              | Site security settings                                                                                                                         | `{}`                                |
+| `gitea.config.camo`                  | Settings for the [camo](https://github.com/cactus/go-camo) media proxy server (disabled by default)                                            | `{}`                                |
+| `gitea.config.openid`                | Configuration for authentication with OpenID (disabled by default)                                                                             | `{}`                                |
+| `gitea.config.oauth2_client`         | OAuth2 client settings                                                                                                                         | `{}`                                |
+| `gitea.config.service`               | Configuration for miscellaneous Forgejo services                                                                                               | `{}`                                |
+| `gitea.config.ssh.minimum_key_sizes` | SSH minimum key sizes                                                                                                                          | `{}`                                |
+| `gitea.config.webhook`               | Webhook settings                                                                                                                               | `{}`                                |
+| `gitea.config.mailer`                | Mailer configuration (disabled by default)                                                                                                     | `{}`                                |
+| `gitea.config.email.incoming`        | Configuration for handling incoming mail (disabled by default)                                                                                 | `{}`                                |
+| `gitea.config.cache`                 | Cache configuration                                                                                                                            | `{}`                                |
+| `gitea.config.session`               | Session/cookie handling                                                                                                                        | `{}`                                |
+| `gitea.config.picture`               | User avatar settings                                                                                                                           | `{}`                                |
+| `gitea.config.project`               | Project board defaults                                                                                                                         | `{}`                                |
+| `gitea.config.attachment`            | Issue and PR attachment configuration                                                                                                          | `{}`                                |
+| `gitea.config.log`                   | Logging configuration                                                                                                                          | `{}`                                |
+| `gitea.config.cron`                  | Cron job configuration                                                                                                                         | `{}`                                |
+| `gitea.config.git`                   | Global settings for Git                                                                                                                        | `{}`                                |
+| `gitea.config.metrics`               | Settings for the Prometheus endpoint (disabled by default)                                                                                     | `{}`                                |
+| `gitea.config.api`                   | Settings for the Swagger API documentation endpoints                                                                                           | `{}`                                |
+| `gitea.config.oauth2`                | Settings for the [OAuth2 provider](https://forgejo.org/docs/latest/admin/oauth2-provider/)                                                     | `{}`                                |
+| `gitea.config.i18n`                  | Internationalization settings                                                                                                                  | `{}`                                |
+| `gitea.config.markup`                | Configuration for advanced markup processors                                                                                                   | `{}`                                |
+| `gitea.config.highlight.mapping`     | File extension to language mapping overrides for syntax highlighting                                                                           | `{}`                                |
+| `gitea.config.time`                  | Locale settings                                                                                                                                | `{}`                                |
+| `gitea.config.migrations`            | Settings for Git repository migrations                                                                                                         | `{}`                                |
+| `gitea.config.federation`            | Federation configuration                                                                                                                       | `{}`                                |
+| `gitea.config.packages`              | Package registry settings                                                                                                                      | `{}`                                |
+| `gitea.config.mirror`                | Configuration for repository mirroring                                                                                                         | `{}`                                |
+| `gitea.config.lfs`                   | Large File Storage configuration                                                                                                               | `{}`                                |
+| `gitea.config.repo-avatar`           | Repository avatar storage configuration                                                                                                        | `{}`                                |
+| `gitea.config.avatar`                | User/org avatar storage configuration                                                                                                          | `{}`                                |
+| `gitea.config.storage`               | General storage settings                                                                                                                       | `{}`                                |
+| `gitea.config.proxy`                 | Proxy configuration (disabled by default)                                                                                                      | `{}`                                |
+| `gitea.config.actions`               | Configuration for [Forgejo Actions](https://forgejo.org/docs/latest/user/actions/)                                                             | `{}`                                |
+| `gitea.config.other`                 | Uncategorized configuration options                                                                                                            | `{}`                                |
+
 ### LivenessProbe
 
 | Name                                      | Description                                      | Value  |
@@ -1011,9 +1114,10 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus
 ### ReadinessProbe
 
 | Name                                       | Description                                       | Value          |
-| ------------------------------------------ | ------------------------------------------------- | ------ |
+| ------------------------------------------ | ------------------------------------------------- | -------------- |
 | `gitea.readinessProbe.enabled`             | Enable readiness probe                            | `true`         |
-| `gitea.readinessProbe.tcpSocket.port`      | Port to probe for readiness                       | `http` |
+| `gitea.readinessProbe.httpGet.path`        | Path to probe for readiness                       | `/api/healthz` |
+| `gitea.readinessProbe.httpGet.port`        | Port to probe for readiness                       | `http`         |
 | `gitea.readinessProbe.initialDelaySeconds` | Initial delay before readiness probe is initiated | `5`            |
 | `gitea.readinessProbe.timeoutSeconds`      | Timeout for readiness probe                       | `1`            |
 | `gitea.readinessProbe.periodSeconds`       | Period for readiness probe                        | `10`           |
@@ -1035,19 +1139,33 @@ To comply with the Forgejo helm chart definition of the digest parameter, a "cus
 ### Redis&reg; Cluster
 
 Redis&reg; Cluster is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/redis-cluster) if enabled in the values.
-Complete Configuration can be taken from their website.
+Full configuration options are available on their website.
+Redis cluster and [Redis](#redis) cannot be enabled at the same time.
 
 | Name                             | Description                                  | Value   |
 | -------------------------------- | -------------------------------------------- | ------- |
-| `redis-cluster.enabled`          | Enable redis                                 | `true`  |
+| `redis-cluster.enabled`          | Enable redis cluster                         | `true`  |
 | `redis-cluster.usePassword`      | Whether to use password authentication       | `false` |
 | `redis-cluster.cluster.nodes`    | Number of redis cluster master nodes         | `3`     |
 | `redis-cluster.cluster.replicas` | Number of redis cluster master node replicas | `0`     |
 
+### Redis&reg;
+
+Redis&reg; is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/redis) if enabled in the values.
+Full configuration options are available on their website.
+Redis and [Redis cluster](#redis-cluster) cannot be enabled at the same time.
+
+| Name                          | Description                                | Value        |
+| ----------------------------- | ------------------------------------------ | ------------ |
+| `redis.enabled`               | Enable redis standalone or replicated      | `false`      |
+| `redis.architecture`          | Whether to use standalone or replication   | `standalone` |
+| `redis.global.redis.password` | Required password                          | `changeme`   |
+| `redis.master.count`          | Number of Redis master instances to deploy | `1`          |
+
 ### PostgreSQL HA
 
 PostgreSQL HA is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/postgresql-ha) if enabled in the values.
-Complete Configuration can be taken from their website.
+Full configuration options are available on their website.
 
 | Name                                        | Description                                                      | Value       |
 | ------------------------------------------- | ---------------------------------------------------------------- | ----------- |
@@ -1060,12 +1178,12 @@ Complete Configuration can be taken from their website.
 | `postgresql-ha.postgresql.postgresPassword` | postgres Password                                                | `changeme1` |
 | `postgresql-ha.pgpool.adminPassword`        | pgpool adminPassword                                             | `changeme3` |
 | `postgresql-ha.service.ports.postgresql`    | PostgreSQL service port (overrides `service.ports.postgresql`)   | `5432`      |
-| `postgresql-ha.primary.persistence.size`    | PVC Storage Request for PostgreSQL-ha volume                     | `10Gi`      |
+| `postgresql-ha.primary.persistence.size`    | PVC Storage Request for PostgreSQL HA volume                     | `10Gi`      |
 
 ### PostgreSQL
 
 PostgreSQL is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) if enabled in the values.
-Complete Configuration can be taken from their website.
+Full configuration options are available on their website.
 
 | Name                                                    | Description                                                      | Value   |
 | ------------------------------------------------------- | ---------------------------------------------------------------- | ------- |
@@ -1080,11 +1198,11 @@ Complete Configuration can be taken from their website.
 
 | Name               | Description                                                        | Value     |
 | ------------------ | ------------------------------------------------------------------ | --------- |
-| `checkDeprecation` | Set it to false to skip this basic validation check.               | `true`    |
-| `test.enabled`     | Set it to false to disable test-connection Pod.                    | `true`    |
+| `checkDeprecation` | Whether to run this basic validation check.                        | `true`    |
+| `test.enabled`     | Whether to use test-connection Pod.                                | `true`    |
 | `test.image.name`  | Image name for the wget container used in the test-connection Pod. | `busybox` |
 | `test.image.tag`   | Image tag for the wget container used in the test-connection Pod.  | `latest`  |
-| `extraDeploy`      | Array of extra objects to deploy with the release                  | `[]`      |
+| `extraDeploy`      | Array of extra objects to deploy with the release.                 | `[]`      |
 
 ## Contributing
 
@@ -1092,8 +1210,46 @@ Expected workflow is: Fork -> Patch -> Push -> Pull Request
 
 See [CONTRIBUTORS GUIDE](CONTRIBUTING.md) for details.
 
+Hop into [our Matrix room](https://matrix.to/#/#forgejo-helm-chart:matrix.org) if you have any questions or want to get involved.
+
 ## Upgrading
 
 This section lists major and breaking changes of each Helm Chart version.
 Please read them carefully to upgrade successfully, especially the change of the **default database backend**!
 If you miss this, blindly upgrading may delete your Postgres instance and you may lose your data!
+
+### To v11
+
+PostgreSQL and PostgreSQL HA are now using PostgreSQL v17.
+Please read PostgresSQL upgrade guide before upgrading.
+
+You need Forgejo v10+ to use this Helm Chart version.
+Forgejo v9 is now EOL.
+
+ClusterIP is now emtpy instead of `None` for http and ssh service.
+Unsupported api versions for `Ingress` and `PodDisruptionBudget` are removed.
+`Ingress` and `Service` are now using named ports.
+The ReadinessProbe is now using the `/api/healthz` endpoint.
+
+### To v10
+
+You need Forgejo v9+ to use this Helm Chart version.
+Forgejo v8 is now EOL.
+
+### To v9
+
+Namespaces for all resources are now set to `common.names.namespace` by default.
+
+### To v8
+
+You need Forgejo v8+ to use this Helm Chart version.
+Use the v7 Helm Chart for Forgejo v7.
+
+### To v7
+
+The Forgejo docker image is pulled from `code.forgejo.org` instead of `codeberg.org`.
+
+### To v6
+
+You need Forgejo v7+ to use this Helm Chart version.
+Use the v5 Helm Chart for Forgejo v1.21.

artifacthub-repo.yml

@@ -2,7 +2,7 @@
 # Artifact Hub repository metadata file
 # https://artifacthub.io/docs/topics/repositories/helm-charts/#oci-support
 # publish via:
-# oras push codeberg.org/forgejo-contrib/forgejo:artifacthub.io --config artifacthub.config.json:application/vnd.cncf.artifacthub.config.v1+yaml artifacthub-repo.yml:application/vnd.cncf.artifacthub.repository-metadata.layer.v1.yaml
+# oras push code.forgejo.org/forgejo-helm/forgejo:artifacthub.io --config artifacthub.config.json:application/vnd.cncf.artifacthub.config.v1+yaml artifacthub-repo.yml:application/vnd.cncf.artifacthub.repository-metadata.layer.v1.yaml
 repositoryID: 'ec84c95a-a288-4aaa-a690-a656b57e3136'
 owners: # (optional, used to claim repository ownership)
   - name: viceice

ci/default-values.yaml

@@ -0,0 +1,20 @@
+# default values with some modifications
+
+# Use mirror
+# https://code.forgejo.org/forgejo-helm/forgejo-helm/issues/1045
+global:
+  security:
+    allowInsecureImages: true
+redis-cluster:
+  image:
+    registry: public.ecr.aws
+postgresql-ha:
+  postgresql:
+    image:
+      registry: public.ecr.aws
+  pgpool:
+    image:
+      registry: public.ecr.aws
+test:
+  image:
+    name: code.forgejo.org/oci/busybox

ci/default.yml

@@ -1 +0,0 @@
-# default values

ci/dev-values.yaml

@@ -1,7 +1,14 @@
+# Test codeberg.org image
+image:
+  registry: codeberg.org
+# Use mirror
+# https://code.forgejo.org/forgejo-helm/forgejo-helm/issues/1045
+test:
+  image:
+    name: code.forgejo.org/oci/busybox
+
 redis-cluster:
   enabled: false
-postgresql:
-  enabled: false
 postgresql-ha:
   enabled: false
 

ci/single-values.yaml

@@ -1,10 +1,24 @@
 redis-cluster:
   enabled: false
-postgresql:
-  enabled: true
 postgresql-ha:
   enabled: false
 
+postgresql:
+  enabled: true
+  # Use mirror
+  # https://code.forgejo.org/forgejo-helm/forgejo-helm/issues/1045
+  image:
+    registry: public.ecr.aws
+global:
+  security:
+    allowInsecureImages: true
+
+# Use mirror
+# https://code.forgejo.org/forgejo-helm/forgejo-helm/issues/1045
+test:
+  image:
+    name: code.forgejo.org/oci/busybox
+
 persistence:
   enabled: true
 

ci/v10-values.yaml

@@ -0,0 +1,29 @@
+image:
+  registry: codeberg.org
+  repository: forgejo-experimental/forgejo
+  tag: 10 # don't pin, manifests can be missing
+
+# Use mirror
+# https://code.forgejo.org/forgejo-helm/forgejo-helm/issues/1045
+test:
+  image:
+    name: code.forgejo.org/oci/busybox
+
+redis-cluster:
+  enabled: false
+postgresql-ha:
+  enabled: false
+
+persistence:
+  enabled: false
+
+gitea:
+  config:
+    database:
+      DB_TYPE: sqlite3
+    session:
+      PROVIDER: memory
+    cache:
+      ADAPTER: memory
+    queue:
+      TYPE: level

ci/v11-values.yaml

@@ -0,0 +1,29 @@
+image:
+  registry: codeberg.org
+  repository: forgejo-experimental/forgejo
+  tag: 11 # don't pin, manifests can be missing
+
+# Use mirror
+# https://code.forgejo.org/forgejo-helm/forgejo-helm/issues/1045
+test:
+  image:
+    name: code.forgejo.org/oci/busybox
+
+redis-cluster:
+  enabled: false
+postgresql-ha:
+  enabled: false
+
+persistence:
+  enabled: false
+
+gitea:
+  config:
+    database:
+      DB_TYPE: sqlite3
+    session:
+      PROVIDER: memory
+    cache:
+      ADAPTER: memory
+    queue:
+      TYPE: level

ci/v12-values.yaml

@@ -0,0 +1,29 @@
+image:
+  registry: codeberg.org
+  repository: forgejo-experimental/forgejo
+  tag: 12 # don't pin, manifests can be missing
+
+# Use mirror
+# https://code.forgejo.org/forgejo-helm/forgejo-helm/issues/1045
+test:
+  image:
+    name: code.forgejo.org/oci/busybox
+
+redis-cluster:
+  enabled: false
+postgresql-ha:
+  enabled: false
+
+persistence:
+  enabled: false
+
+gitea:
+  config:
+    database:
+      DB_TYPE: sqlite3
+    session:
+      PROVIDER: memory
+    cache:
+      ADAPTER: memory
+    queue:
+      TYPE: level

package.json

@@ -1,6 +1,6 @@
 {
   "name": "forgejo-helm-chart",
-  "homepage": "https://codeberg.org/forgejo-contrib/forgejo-helm.git",
+  "homepage": "https://code.forgejo.org/forgejo-helm/forgejo-helm",
   "license": "MIT",
   "private": true,
   "scripts": {
@@ -10,21 +10,22 @@
     "prettier": "prettier --check --ignore-unknown --cache '**/*.*'",
     "prettier-fix": "prettier --write --ignore-unknown --cache '**/*.*'",
     "readme:lint": "markdownlint *.md -f",
-    "readme:parameters": "readme-generator -v values.yaml -r README.md"
+    "readme:parameters": "readme-generator -v values.yaml -r README.md",
+    "test": "helm unittest --strict -f 'unittests/**/*.yaml' ./"
   },
   "devDependencies": {
-    "@bitnami/readme-generator-for-helm": "^2.4.2",
-    "clipanion": "^3.2.1",
-    "conventional-changelog-conventionalcommits": "^7.0.0",
-    "conventional-changelog-core": "^7.0.0",
-    "husky": "^9.0.0",
-    "lint-staged": "^15.2.0",
-    "markdownlint-cli": "^0.39.0",
-    "prettier": "^3.1.0"
+    "@bitnami/readme-generator-for-helm": "2.7.0",
+    "clipanion": "3.2.1",
+    "conventional-changelog-conventionalcommits": "8.0.0",
+    "conventional-changelog-core": "9.0.0",
+    "husky": "9.1.7",
+    "lint-staged": "15.5.0",
+    "markdownlint-cli": "0.44.0",
+    "prettier": "3.5.3"
   },
-  "packageManager": "pnpm@9.0.5",
+  "packageManager": "pnpm@10.7.0",
   "engines": {
-    "node": "^18.12.0 || >=20.9.0",
-    "pnpm": "^9.0.0"
+    "node": "^22.0.0",
+    "pnpm": "^10.0.0"
   }
 }

renovate.json

@@ -1,9 +1,24 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["forgejo-contrib/forgejo-renovate//base.json"],
+  "extends": [
+    "forgejo-contrib/forgejo-renovate//base.json",
+    "forgejo-helm/forgejo-helm//.forgejo/renovate/k3s.json"
+  ],
   "assignees": ["viceice"],
-  "enabledManagers": ["helmv3", "nodenv", "npm", "regex", "github-actions"],
+  "baseBranches": ["main", "/^maint\\/.+/"],
   "packageRules": [
+    {
+      "description": "Separate multiple major sub chart updates",
+      "matchFileNames": ["Chart.yaml"],
+      "separateMultipleMajor": true
+    },
+    {
+      "description": "Require approval for major sub chart updates for maintenance branches",
+      "matchBaseBranches": ["/^maint\\/.+/"],
+      "matchUpdateTypes": ["major"],
+      "matchFileNames": ["Chart.yaml"],
+      "dependencyDashboardApproval": true
+    },
     {
       "matchManagers": ["helmv3"],
       "matchUpdateTypes": ["minor", "patch"],
@@ -15,23 +30,25 @@
       "semanticCommitType": "feat"
     },
     {
-      "matchManagers": ["regex"],
+      "matchManagers": ["custom.regex"],
       "matchDepNames": ["forgejo"],
       "matchUpdateTypes": ["patch"],
       "semanticCommitType": "fix"
     },
     {
-      "matchManagers": ["regex"],
+      "matchManagers": ["custom.regex"],
       "matchDepNames": ["forgejo"],
       "matchUpdateTypes": ["major", "minor"],
       "semanticCommitType": "feat"
     },
     {
-      "description": "Automerge patch deps updates",
+      "description": "Automerge and group helm subchart updates weekly (minor & patch)",
       "matchManagers": ["helmv3"],
-      "matchFiles": ["Chart.yaml"],
-      "matchUpdateTypes": ["patch"],
-      "automerge": true
+      "matchFileNames": ["Chart.yaml"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "automerge": true,
+      "groupName": "subcharts",
+      "extends": ["schedule:weekly"]
     },
     {
       "description": "Automerge dev deps updates",
@@ -53,16 +70,34 @@
       "automerge": true
     },
     {
-      "description": "Separate minor and patch updates for kindest",
-      "matchPackageNames": ["kindest/node"],
-      "separateMinorPatch": true
+      "description": "Automerge digest updates",
+      "matchUpdateTypes": ["digest"],
+      "automerge": true
     },
     {
-      "description": "Require approval and no automerge for kindest major and minor updates",
-      "matchPackageNames": ["kindest/node"],
-      "matchUpdateTypes": ["major", "minor"],
-      "dependencyDashboardApproval": true,
-      "automerge": false
+      "description": "Use test scope for forgejo ci tests",
+      "matchFileNames": ["ci/*.yaml"],
+      "additionalBranchPrefix": "ci-forgejo-",
+      "semanticCommitType": "ci",
+      "semanticCommitScope": "forgejo",
+      "groupName": "experimental docker digests",
+      "extends": ["schedule:daily"]
+    },
+    {
+      "description": "Disable updates for forgejo ci tests",
+      "matchFileNames": ["ci/*.yaml"],
+      "matchUpdateTypes": ["major", "minor", "patch"],
+      "enabled": false
+    },
+    {
+      "description": "Don't pin digests for forgejo ci tests, not supported",
+      "matchFileNames": ["ci/*.yaml"],
+      "pinDigests": false
+    },
+    {
+      "description": "branch automerge not possible",
+      "automergeType": "pr",
+      "matchPackageNames": ["/.+/"]
     }
   ],
   "customManagers": [
@@ -72,7 +107,7 @@
       "fileMatch": ["^Chart\\.yaml$"],
       "matchStrings": ["appVersion: (?<currentValue>.+?)\\s"],
       "depNameTemplate": "forgejo",
-      "packageNameTemplate": "codeberg.org/forgejo/forgejo",
+      "packageNameTemplate": "code.forgejo.org/forgejo/forgejo",
       "datasourceTemplate": "docker"
     },
     {
@@ -88,13 +123,15 @@
     },
     {
       "customType": "regex",
-      "description": "Update kindest kubernetes references",
+      "description": "Update k3s kubernetes references",
       "fileMatch": ["^\\.forgejo/workflows/[^/]+\\.ya?ml$"],
-      "matchStrings": [
-        " +- (?<currentValue>v\\d+\\.\\d+\\.\\d+) # renovate: kindest\\n"
+      "matchStrings": [" +- (?<currentValue>.+?) # renovate: k3s\\n"],
+      "depNameTemplate": "k3s",
+      "packageNameTemplate": "k3s-io/k3s",
+      "datasourceTemplate": "github-releases"
+    }
   ],
-      "depNameTemplate": "kindest/node",
-      "datasourceTemplate": "docker"
+  "helm-values": {
+    "fileMatch": ["^ci/.+\\.yaml$"]
   }
-  ]
 }

templates/_helpers.tpl

@@ -3,26 +3,6 @@
 Expand the name of the chart.
 */}}
 
-{{- /* multiple replicas assertions */ -}}
-{{- if gt .Values.replicaCount 1.0 -}}
-  {{- fail "When using multiple replicas, a RWX file system is required" -}}
-  {{- if eq (get (.Values.persistence.accessModes 0) "ReadWriteOnce") -}}
-    {{- fail "When using multiple replicas, a RWX file system is required" -}}
-  {{- end }}
-  
-  {{- if eq (get .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE") "bleve" -}}
-    {{- fail "When using multiple replicas, the repo indexer must be set to 'meilisearch' or 'elasticsearch'" -}}
-  {{- end }}
-  
-  {{- if and (eq .Values.gitea.config.indexer.REPO_INDEXER_TYPE "bleve") (eq .Values.gitea.config.indexer.REPO_INDEXER_ENABLED "true") -}}
-    {{- fail "When using multiple replicas, the repo indexer must be set to 'meilisearch' or 'elasticsearch'" -}}
-  {{- end }}
-  
-  {{- if eq .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE "bleve" -}}
-    {{- (printf "DEBUG: When using multiple replicas, the repo indexer must be set to 'meilisearch' or 'elasticsearch'") | fail -}}
-  {{- end }}
-{{- end }}
-
 {{- define "gitea.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
@@ -52,6 +32,14 @@ Create chart name and version as used by the chart label.
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{/*
+Get version from .Values.image.tag or Chart.AppVersion.
+Trim optional docker digest.
+*/}}
+{{- define "gitea.version" -}}
+{{- regexReplaceAll "@.+" (.Values.image.tag | default .Chart.AppVersion | toString) "" -}}
+{{- end -}}
+
 {{/*
 Create image name and tag used by the deployment.
 */}}
@@ -60,7 +48,7 @@ Create image name and tag used by the deployment.
 {{- $registry := .Values.global.imageRegistry | default .Values.image.registry -}}
 {{- $repository := .Values.image.repository -}}
 {{- $separator := ":" -}}
-{{- $tag := .Values.image.tag | default .Chart.AppVersion -}}
+{{- $tag := .Values.image.tag | default .Chart.AppVersion | toString -}}
 {{- $rootless := ternary "-rootless" "" (.Values.image.rootless) -}}
 {{- $digest := "" -}}
 {{- if .Values.image.digest }}
@@ -94,7 +82,7 @@ imagePullSecrets:
 Storage Class
 */}}
 {{- define "gitea.persistence.storageClass" -}}
-{{- $storageClass := .Values.persistence.storageClass | default .Values.global.storageClass }}
+{{- $storageClass :=  (tpl ( default "" .Values.persistence.storageClass) .) | default (tpl ( default "" .Values.global.storageClass) .) }}
 {{- if $storageClass }}
 storageClassName: {{ $storageClass | quote }}
 {{- end }}
@@ -107,8 +95,8 @@ Common labels
 helm.sh/chart: {{ include "gitea.chart" . }}
 app: {{ include "gitea.name" . }}
 {{ include "gitea.selectorLabels" . }}
-app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
-version: {{ .Values.image.tag | default .Chart.AppVersion | quote }}
+app.kubernetes.io/version: {{ include "gitea.version" . | quote }}
+version: {{ include "gitea.version" . | quote }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end -}}
 
@@ -133,20 +121,28 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end -}}
 
 {{- define "redis.dns" -}}
-{{- if (index .Values "redis-cluster").enabled -}}
+{{- if and ((index .Values "redis-cluster").enabled) ((index .Values "redis").enabled) -}}
+{{- fail "redis and redis-cluster cannot be enabled at the same time. Please only choose one." -}}
+{{- else if (index .Values "redis-cluster").enabled -}}
 {{- printf "redis+cluster://:%s@%s-redis-cluster-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "redis-cluster").global.redis.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "redis-cluster").service.ports.redis -}}
+{{- else if (index .Values "redis").enabled -}}
+{{- printf "redis://:%s@%s-redis-headless.%s.svc.%s:%g/0?pool_size=100&idle_timeout=180s&" (index .Values "redis").global.redis.password .Release.Name .Release.Namespace .Values.clusterDomain (index .Values "redis").master.service.ports.redis -}}
 {{- end -}}
 {{- end -}}
 
 {{- define "redis.port" -}}
 {{- if (index .Values "redis-cluster").enabled -}}
 {{ (index .Values "redis-cluster").service.ports.redis }}
+{{- else if (index .Values "redis").enabled -}}
+{{ (index .Values "redis").master.service.ports.redis }}
 {{- end -}}
 {{- end -}}
 
 {{- define "redis.servicename" -}}
 {{- if (index .Values "redis-cluster").enabled -}}
 {{- printf "%s-redis-cluster-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
+{{- else if (index .Values "redis").enabled -}}
+{{- printf "%s-redis-headless.%s.svc.%s" .Release.Name .Release.Namespace .Values.clusterDomain -}}
 {{- end -}}
 {{- end -}}
 
@@ -228,7 +224,7 @@ https
         {{- $_ := set $inlines $key (join "\n" $section) -}}
       {{- end -}}
     {{- else }}
-      {{- if or (eq $key "APP_NAME") (eq $key "RUN_USER") (eq $key "RUN_MODE") -}}
+      {{- if or (eq $key "APP_NAME") (eq $key "RUN_USER") (eq $key "RUN_MODE") (eq $key "APP_SLOGAN") (eq $key "APP_DISPLAY_NAME_FORMAT") -}}
         {{- $generals = append $generals (printf "%s=%s" $key $value) -}}
       {{- else -}}
         {{- (printf "Key %s cannot be on top level of configuration" $key) | fail -}}
@@ -291,7 +287,7 @@ https
     {{- $_ := set .Values.gitea.config.metrics "ENABLED" .Values.gitea.metrics.enabled -}}
   {{- end -}}
   {{- /* redis queue */ -}}
-  {{- if (index .Values "redis-cluster").enabled -}}
+  {{- if or ((index .Values "redis-cluster").enabled) ((index .Values "redis").enabled) -}}
     {{- $_ := set .Values.gitea.config.queue "TYPE" "redis" -}}
     {{- $_ := set .Values.gitea.config.queue "CONN_STR" (include "redis.dns" .) -}}
     {{- $_ := set .Values.gitea.config.session "PROVIDER" "redis" -}}
@@ -412,3 +408,11 @@ https
 {{- define "gitea.serviceAccountName" -}}
 {{ .Values.serviceAccount.name | default (include "gitea.fullname" .) }}
 {{- end -}}
+
+{{- define "gitea.admin.passwordMode" -}}
+{{- if has .Values.gitea.admin.passwordMode (tuple "keepUpdated" "initialOnlyNoReset" "initialOnlyRequireReset") -}}
+{{ .Values.gitea.admin.passwordMode }}
+{{- else -}}
+{{ printf "gitea.admin.passwordMode must be set to one of 'keepUpdated', 'initialOnlyNoReset', or 'initialOnlyRequireReset'. Received: '%s'" .Values.gitea.admin.passwordMode | fail }}
+{{- end -}}
+{{- end -}}

templates/gitea/config.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "gitea.fullname" . }}-inline-config
+  namespace: {{ include "common.names.namespace" . | quote }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
@@ -25,26 +26,31 @@ stringData:
     
     {{- /* multiple replicas assertions */ -}}
     {{- if gt .Values.replicaCount 1.0 -}}
-  {{- if (get (get .Values.gitea.config "cron.GIT_GC_REPOS") "ENABLED") -}}
-    {{- fail "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'cron.GIT_GC_REPOS.enabled = false'." -}}
+      {{- if .Values.gitea.config.cron -}}
+        {{- if .Values.gitea.config.cron.GIT_GC_REPOS -}}
+          {{- if eq .Values.gitea.config.cron.GIT_GC_REPOS.ENABLED true -}}
+            {{ fail "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'cron.GIT_GC_REPOS.enabled = false'." }}
+          {{- end }}
+        {{- end }}
       {{- end }}
     
       {{- if eq (first .Values.persistence.accessModes) "ReadWriteOnce" -}}
         {{- fail "When using multiple replicas, a RWX file system is required and gitea.persistence.accessModes[0] must be set to ReadWriteMany." -}}
       {{- end }}
-
-  {{- if eq (get .Values.gitea.config.indexer "ISSUE_INDEXER_TYPE") "bleve" -}}
+      {{- if .Values.gitea.config.indexer -}}
+        {{- if eq .Values.gitea.config.indexer.ISSUE_INDEXER_TYPE "bleve" -}}
           {{- fail "When using multiple replicas, the issue indexer (gitea.config.indexer.ISSUE_INDEXER_TYPE) must be set to a HA-ready provider such as 'meilisearch', 'elasticsearch' or 'db' (if the DB is HA-ready)." -}}
         {{- end }}
         {{- if .Values.gitea.config.indexer.REPO_INDEXER_TYPE -}}
-    {{- if eq (get .Values.gitea.config.indexer "REPO_INDEXER_TYPE") "bleve" -}}
+          {{- if eq .Values.gitea.config.indexer.REPO_INDEXER_TYPE "bleve" -}}
             {{- if .Values.gitea.config.indexer.REPO_INDEXER_ENABLED -}}
-        {{- if eq (get .Values.gitea.config.indexer "REPO_INDEXER_ENABLED") "true" -}}
+              {{- if eq .Values.gitea.config.indexer.REPO_INDEXER_ENABLED true -}}
                 {{- fail "When using multiple replicas, the repo indexer (gitea.config.indexer.REPO_INDEXER_TYPE) must be set to 'meilisearch' or 'elasticsearch' or disabled." -}}
               {{- end }}
             {{- end }}
           {{- end }}
         {{- end }}
+      {{- end }}
 
     {{- end }}
   config_environment.sh: |-
@@ -83,15 +89,18 @@ stringData:
 
       env2ini::log "    + '${setting}'"
 
+      local masked_setting="${setting//./_0X2E_}"                           # '//' instructs to replace all matches
+      masked_setting="${masked_setting//-/_0X2D_}"
+
       if [[ -z "${section}" ]]; then
-        export "FORGEJO____${setting^^}=${value}"                           # '^^' makes the variable content uppercase
+        export "FORGEJO____${masked_setting^^}=${value}"                           # '^^' makes the variable content uppercase
         return
       fi
 
       local masked_section="${section//./_0X2E_}"                           # '//' instructs to replace all matches
       masked_section="${masked_section//-/_0X2D_}"
 
-      export "FORGEJO__${masked_section^^}__${setting^^}=${value}"          # '^^' makes the variable content uppercase
+      export "FORGEJO__${masked_section^^}__${masked_setting^^}=${value}"          # '^^' makes the variable content uppercase
     }
 
     function env2ini::reload_preset_envs() {

templates/gitea/deployment.yaml

@@ -2,12 +2,16 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ include "gitea.fullname" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   annotations:
     {{- if .Values.deployment.annotations }}
     {{- toYaml .Values.deployment.annotations | nindent 4 }}
     {{- end }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
+    {{- if .Values.deployment.labels }}
+    {{- toYaml .Values.deployment.labels | nindent 4 }}
+    {{- end }}
 spec:
   replicas: {{ .Values.replicaCount }}
   strategy:
@@ -53,7 +57,7 @@ spec:
       {{- end }}
       {{- include "gitea.images.pullSecrets" . | nindent 6 }}
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.podSecurityContext "context" $) | nindent 8 }}
       initContainers:
         - name: init-directories
           image: "{{ include "gitea.image" . }}"
@@ -87,7 +91,7 @@ spec:
               {{- end }}
             {{- include "gitea.init-additional-mounts" . | nindent 12 }}
           securityContext:
-            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
           resources:
             {{- toYaml .Values.initContainers.resources | nindent 12 }}
         - name: init-app-ini
@@ -127,7 +131,7 @@ spec:
             {{- end }}
             {{- include "gitea.init-additional-mounts" . | nindent 12 }}
           securityContext:
-            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
           resources:
             {{- toYaml .Values.initContainers.resources | nindent 12 }}
         {{- if .Values.signing.enabled }}
@@ -141,7 +145,7 @@ spec:
             {{- if not (hasKey $csc "runAsUser") -}}
             {{- $_ := set $csc "runAsUser" 1000 -}}
             {{- end -}}
-            {{- toYaml $csc | nindent 12 }}
+            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $csc "context" $) | nindent 12 }}
           env:
             - name: GNUPGHOME
               value: {{ .Values.signing.gpgHome }}
@@ -172,7 +176,7 @@ spec:
             {{- if not (hasKey $csc "runAsUser") -}}
             {{- $_ := set $csc "runAsUser" 1000 -}}
             {{- end -}}
-            {{- toYaml $csc | nindent 12 }}
+            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $csc "context" $) | nindent 12 }}
           env:
             - name: GITEA_APP_INI
               value: /data/gitea/conf/app.ini
@@ -240,6 +244,8 @@ spec:
             - name: GITEA_ADMIN_PASSWORD
               value: {{ .Values.gitea.admin.password | quote }}
             {{- end }}
+            - name: GITEA_ADMIN_PASSWORD_MODE
+              value: {{ include "gitea.admin.passwordMode" $ }}
             {{- if .Values.deployment.env }}
             {{- toYaml .Values.deployment.env | nindent 12 }}
             {{- end }}
@@ -321,9 +327,9 @@ spec:
           securityContext:
             {{- /* Honor the deprecated securityContext variable when defined */ -}}
             {{- if .Values.containerSecurityContext -}}
-            {{ toYaml .Values.containerSecurityContext | nindent 12 -}}
+            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) | nindent 12 }}
             {{- else -}}
-            {{ toYaml .Values.securityContext | nindent 12 -}}
+            {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.securityContext "context" $) | nindent 12 }}
             {{- end }}
           volumeMounts:
             - name: temp

templates/gitea/gpg-secret.yaml

@@ -7,6 +7,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "gitea.gpg-key-secret-name" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque

templates/gitea/http-svc.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "gitea.fullname" . }}-http
+  namespace: {{ include "common.names.namespace" . | quote }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
     {{- if .Values.service.http.labels }}
@@ -11,7 +12,11 @@ metadata:
     {{- toYaml .Values.service.http.annotations | nindent 4 }}
 spec:
   type: {{ .Values.service.http.type }}
-  {{- if and .Values.service.http.loadBalancerIP (eq .Values.service.http.type "LoadBalancer") }}
+  {{- if eq .Values.service.http.type "LoadBalancer" }}
+  {{- if .Values.service.http.loadBalancerClass }}
+  loadBalancerClass: {{ .Values.service.http.loadBalancerClass }}
+  {{- end }}
+  {{- if and .Values.service.http.loadBalancerIP }}
   loadBalancerIP: {{ .Values.service.http.loadBalancerIP  }}
   {{- end }}
   {{- if .Values.service.http.loadBalancerSourceRanges }}
@@ -20,6 +25,7 @@ spec:
     - {{ . }}
   {{- end }}
   {{- end }}
+  {{- end }}
   {{- if .Values.service.http.externalIPs }}
   externalIPs:
     {{- toYaml .Values.service.http.externalIPs | nindent 4 }}
@@ -43,6 +49,6 @@ spec:
     {{- if  .Values.service.http.nodePort }}
     nodePort: {{ .Values.service.http.nodePort }}
     {{- end }}
-    targetPort: {{ .Values.gitea.config.server.HTTP_PORT }}
+    targetPort: http
   selector:
     {{- include "gitea.selectorLabels" . | nindent 4 }}

templates/gitea/ingress.yaml

@@ -1,18 +1,10 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "gitea.fullname" . -}}
-{{- $httpPort := .Values.service.http.port -}}
-{{- $apiVersion := "extensions/v1beta1" -}}
-{{- if .Values.ingress.apiVersion -}}
-{{- $apiVersion = .Values.ingress.apiVersion -}}
-{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" -}}
-{{- $apiVersion = "networking.k8s.io/v1" }}
-{{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" -}}
-{{- $apiVersion = "networking.k8s.io/v1beta1" }}
-{{- end }}
-apiVersion: {{ $apiVersion }}
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: {{ $fullName }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
   annotations:
@@ -21,7 +13,7 @@ metadata:
     {{- end }}
 spec:
 {{- if .Values.ingress.className }}
-  ingressClassName: {{ .Values.ingress.className }}
+  ingressClassName: {{ tpl .Values.ingress.className . }}
 {{- end }}
 {{- if .Values.ingress.tls }}
   tls:
@@ -40,19 +32,14 @@ spec:
         paths:
           {{- range .paths }}
           - path: {{ .path }}
-            {{- if and .pathType (eq $apiVersion "networking.k8s.io/v1") }}
+            {{- if .pathType }}
             pathType: {{ .pathType }}
             {{- end }}
             backend:
-            {{- if eq $apiVersion "networking.k8s.io/v1" }}
               service:
                 name: {{ $fullName }}-http
                 port:
-                  number: {{ $httpPort }}
-            {{- else }}
-              serviceName: {{ $fullName }}-http
-              servicePort: {{ $httpPort }}
-            {{- end }}
+                  name: http
           {{- end }}
     {{- end }}
 {{- end }}

templates/gitea/init.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: {{ include "gitea.fullname" . }}-init
+  namespace: {{ include "common.names.namespace" . | quote }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
 type: Opaque
@@ -109,13 +110,26 @@ stringData:
 
       local ACCOUNT_ID=$(echo "${actual_user_table}" | grep -E "\s+${GITEA_ADMIN_USERNAME}\s+" | awk -F " " "{printf \$1}")
       if [[ -z "${ACCOUNT_ID}" ]]; then
+        local -a create_args
+        create_args=(--admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }})
+        if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = initialOnlyRequireReset ]]; then
+          create_args+=(--must-change-password=true)
+        else
+          create_args+=(--must-change-password=false)
+        fi
         echo "No admin user '${GITEA_ADMIN_USERNAME}' found. Creating now..."
-        gitea admin user create --admin --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --email {{ .Values.gitea.admin.email | quote }} --must-change-password=false
+        gitea admin user create "${create_args[@]}"
         echo '...created.'
       else
+        if [[ "${GITEA_ADMIN_PASSWORD_MODE}" = keepUpdated ]]; then
           echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist. Running update to sync password..."
-        gitea admin user change-password --username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}"
+          local -a change_args
+          change_args=(--username "${GITEA_ADMIN_USERNAME}" --password "${GITEA_ADMIN_PASSWORD}" --must-change-password=false)
+          gitea admin user change-password "${change_args[@]}"
           echo '...password sync done.'
+        else
+          echo "Admin account '${GITEA_ADMIN_USERNAME}' already exist, but update mode is set to '${GITEA_ADMIN_PASSWORD_MODE}'. Skipping."
+        fi
       fi
     }
 

templates/gitea/poddisruptionbudget.yaml

@@ -1,12 +1,9 @@
 {{- if .Values.podDisruptionBudget -}}
-{{- if .Capabilities.APIVersions.Has "policy/v1" }}
 apiVersion: policy/v1
-{{- else }}
-apiVersion: policy/v1beta1
-{{- end }}
 kind: PodDisruptionBudget
 metadata:
   name: {{ include "gitea.fullname" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
 spec:

templates/gitea/pvc.yaml

@@ -3,7 +3,7 @@ kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
   name: {{ .Values.persistence.claimName }}
-  namespace: {{ $.Release.Namespace }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   annotations:
 {{ .Values.persistence.annotations | toYaml | indent 4}}
 {{- if .Values.persistence.labels }}

templates/gitea/route.yaml

@@ -0,0 +1,43 @@
+{{- if .Values.route.enabled -}}
+apiVersion: route.openshift.io/v1
+kind: Route
+metadata:
+  name: {{ include "gitea.fullname" . }}-http
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels:
+    {{- include "gitea.labels" . | nindent 4 }}
+  annotations:
+    {{- toYaml .Values.route.annotations | nindent 4 }}
+spec:
+  {{- if .Values.route.host }}
+  host: {{ tpl .Values.route.host $ | quote }}
+  {{- end }}
+  {{- if .Values.route.wildcardPolicy }}
+  wildcardPolicy: {{ .Values.route.wildcardPolicy }}
+  {{- end }}
+  to:
+    kind: Service
+    name: {{ include "gitea.fullname" . }}-http
+    weight: 100
+  port:
+    targetPort: http
+  tls:
+    termination: edge
+    insecureEdgeTerminationPolicy: Redirect
+    {{- if .Values.route.tls.existingSecret }}
+    externalCertificate: {{ .Values.route.tls.existingSecret }}
+    {{- else if and .Values.route.tls.certificate
+                    .Values.route.tls.privateKey
+                    .Values.route.tls.caCertificate }}
+    certificate: |
+{{ .Values.route.tls.certificate | indent 6 }}
+    key: |
+{{ .Values.route.tls.privateKey | indent 6 }}
+    caCertificate: |
+{{ .Values.route.tls.caCertificate | indent 6 }}
+    {{- else if or .Values.route.tls.certificate
+                    .Values.route.tls.privateKey
+                    .Values.route.tls.caCertificate }}
+    {{- fail "certificate, privateKey and caCertificate must be specified together" }}
+    {{- end }}
+{{- end }}

templates/gitea/serviceaccount.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "gitea.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
     {{- with .Values.serviceAccount.labels }}

templates/gitea/servicemonitor.yaml

@@ -3,6 +3,7 @@ apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
   name: {{ include "gitea.fullname" . }}
+  namespace: {{ default (include "common.names.namespace" .) .Values.gitea.metrics.serviceMonitor.namespace | quote }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
     {{- if .Values.gitea.metrics.serviceMonitor.additionalLabels }}

templates/gitea/ssh-svc.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: {{ include "gitea.fullname" . }}-ssh
+  namespace: {{ include "common.names.namespace" . | quote }}
   labels:
     {{- include "gitea.labels" . | nindent 4 }}
     {{- if .Values.service.ssh.labels }}
@@ -12,6 +13,9 @@ metadata:
 spec:
   type: {{ .Values.service.ssh.type }}
   {{- if eq .Values.service.ssh.type "LoadBalancer" }}
+  {{- if .Values.service.ssh.loadBalancerClass }}
+  loadBalancerClass: {{ .Values.service.ssh.loadBalancerClass }}
+  {{- end }}
   {{- if .Values.service.ssh.loadBalancerIP }}
   loadBalancerIP: {{ .Values.service.ssh.loadBalancerIP }}
   {{- end -}}
@@ -43,7 +47,7 @@ spec:
   - name: ssh
     port: {{ .Values.service.ssh.port }}
     {{- if .Values.gitea.config.server.SSH_LISTEN_PORT }}
-    targetPort: {{ .Values.gitea.config.server.SSH_LISTEN_PORT }}
+    targetPort: ssh
     {{- end }}
     protocol: TCP
     {{- if .Values.service.ssh.nodePort }}

templates/tests/test-http-connection.yaml

@@ -6,7 +6,7 @@ metadata:
   labels:
 {{ include "gitea.labels" . | nindent 4 }}
   annotations:
-    "helm.sh/hook": test-success
+    "helm.sh/hook": test
 spec:
   containers:
     - name: wget

tools/changelog.mjs

@@ -1,67 +1,12 @@
-import conventionalChangelogCore from 'conventional-changelog-core';
-import conventionalChangelogPreset from 'conventional-changelog-conventionalcommits';
-import fs from 'node:fs';
+import { getChangelog } from './changelog/util.js';
 
-const config = conventionalChangelogPreset({
-  types: [
-    {
-      type: 'feat',
-      section: 'Features',
-    },
-    {
-      type: 'fix',
-      section: 'Bug Fixes',
-    },
-    {
-      type: 'perf',
-      section: 'Performance Improvements',
-    },
-    {
-      type: 'revert',
-      section: 'Reverts',
-    },
-    {
-      type: 'docs',
-      section: 'Documentation',
-    },
-    {
-      type: 'style',
-      section: 'Styles',
-    },
-    {
-      type: 'refactor',
-      section: 'Code Refactoring',
-    },
-    {
-      type: 'test',
-      section: 'Tests',
-    },
-    {
-      type: 'build',
-      section: 'Build System',
-    },
-    {
-      type: 'ci',
-      section: 'Continuous Integration',
-    },
-    {
-      type: 'chore',
-      section: 'Miscellaneous Chores',
-    },
-  ],
-});
+const stream = getChangelog(!!process.argv[2]).setEncoding('utf8');
 
-const file = process.argv[3]
-  ? fs.createWriteStream(process.argv[3])
-  : process.stdout;
+const changes = (await stream.toArray()).join('');
 
-conventionalChangelogCore(
-  {
-    config,
-    releaseCount: 2,
-  },
-  { version: process.argv[2], linkCompare: false },
-  undefined,
-  undefined,
-  { headerPartial: '' },
-).pipe(file);
+if (!changes.length) {
+  console.error('No changelog found');
+  process.exit(1);
+}
+
+process.stdout.write(changes);

tools/changelog/util.js

@@ -56,17 +56,16 @@ export const config = conventionalChangelogPreset({
 
 /**
  *
- * @param {string} version
- * @param {boolean} onTag
+ * @param {boolean|undefined} onTag
  * @returns
  */
-export function getChangelog(version, onTag) {
+export function getChangelog(onTag = false) {
   return conventionalChangelogCore(
     {
       config,
       releaseCount: onTag ? 2 : 1,
     },
-    { version, linkCompare: false },
+    undefined,
     undefined,
     undefined,
     { headerPartial: '' },

tools/ct.yml

@@ -1,3 +1,4 @@
+# https://github.com/helm/chart-testing/blob/main/doc/ct_install.md
 helm-extra-args: --timeout 3m
 check-version-increment: false
 debug: true

tools/forgejo-release.js

@@ -68,7 +68,7 @@ class GiteaReleaseCommand extends Command {
       return 1;
     }
 
-    const stream = getChangelog(tag, true).setEncoding('utf8');
+    const stream = getChangelog(true).setEncoding('utf8');
     const changes = (await stream.toArray()).join('');
 
     this.context.stdout.write(`Creating release ${tag}.\n`);

unittests/config/cache-config.yaml

@@ -8,6 +8,8 @@ tests:
     set:
       redis-cluster:
         enabled: true
+      redis:
+        enabled: false
     asserts:
       - documentIndex: 0
         equal:
@@ -16,11 +18,28 @@ tests:
             ADAPTER=redis
             HOST=redis+cluster://:@gitea-unittests-redis-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
 
-  - it: "cache is configured correctly for 'memory' when redis-cluster is disabled"
+  - it: 'cache is configured correctly for redis'
     template: templates/gitea/config.yaml
     set:
       redis-cluster:
         enabled: false
+      redis:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.cache
+          value: |-
+            ADAPTER=redis
+            HOST=redis://:changeme@gitea-unittests-redis-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
+
+  - it: "cache is configured correctly for 'memory' when redis (or redis-cluster) is disabled"
+    template: templates/gitea/config.yaml
+    set:
+      redis-cluster:
+        enabled: false
+      redis:
+        enabled: false
     asserts:
       - documentIndex: 0
         equal:
@@ -29,11 +48,13 @@ tests:
             ADAPTER=memory
             HOST=
 
-  - it: 'cache can be customized when redis-cluster is disabled'
+  - it: 'cache can be customized when redis (or redis-cluster) is disabled'
     template: templates/gitea/config.yaml
     set:
       redis-cluster:
         enabled: false
+      redis:
+        enabled: false
       gitea.config.cache.ADAPTER: custom-adapter
       gitea.config.cache.HOST: custom-host
     asserts:

unittests/config/queue-config.yaml

@@ -8,6 +8,8 @@ tests:
     set:
       redis-cluster:
         enabled: true
+      redis:
+        enabled: false
     asserts:
       - documentIndex: 0
         equal:
@@ -16,11 +18,28 @@ tests:
             CONN_STR=redis+cluster://:@gitea-unittests-redis-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
             TYPE=redis
 
-  - it: "queue is configured correctly for 'levelDB' when redis-cluster is disabled"
+  - it: 'queue is configured correctly for redis'
     template: templates/gitea/config.yaml
     set:
       redis-cluster:
         enabled: false
+      redis:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.queue
+          value: |-
+            CONN_STR=redis://:changeme@gitea-unittests-redis-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
+            TYPE=redis
+
+  - it: "queue is configured correctly for 'levelDB' when redis (and redis-cluster) is disabled"
+    template: templates/gitea/config.yaml
+    set:
+      redis-cluster:
+        enabled: false
+      redis:
+        enabled: false
     asserts:
       - documentIndex: 0
         equal:
@@ -29,11 +48,13 @@ tests:
             CONN_STR=
             TYPE=level
 
-  - it: 'queue can be customized when redis-cluster is disabled'
+  - it: 'queue can be customized when redis (and redis-cluster) are disabled'
     template: templates/gitea/config.yaml
     set:
       redis-cluster:
         enabled: false
+      redis:
+        enabled: false
       gitea.config.queue.TYPE: custom-type
       gitea.config.queue.CONN_STR: custom-connection-string
     asserts:

unittests/config/session-config.yaml

@@ -8,6 +8,8 @@ tests:
     set:
       redis-cluster:
         enabled: true
+      redis:
+        enabled: false
     asserts:
       - documentIndex: 0
         equal:
@@ -16,11 +18,28 @@ tests:
             PROVIDER=redis
             PROVIDER_CONFIG=redis+cluster://:@gitea-unittests-redis-cluster-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
 
-  - it: "session is configured correctly for 'memory' when redis-cluster is disabled"
+  - it: 'session is configured correctly for redis'
     template: templates/gitea/config.yaml
     set:
       redis-cluster:
         enabled: false
+      redis:
+        enabled: true
+    asserts:
+      - documentIndex: 0
+        equal:
+          path: stringData.session
+          value: |-
+            PROVIDER=redis
+            PROVIDER_CONFIG=redis://:changeme@gitea-unittests-redis-headless.testing.svc.cluster.local:6379/0?pool_size=100&idle_timeout=180s&
+
+  - it: "session is configured correctly for 'memory' when redis (and redis-cluster) is disabled"
+    template: templates/gitea/config.yaml
+    set:
+      redis-cluster:
+        enabled: false
+      redis:
+        enabled: false
     asserts:
       - documentIndex: 0
         equal:
@@ -29,11 +48,13 @@ tests:
             PROVIDER=memory
             PROVIDER_CONFIG=
 
-  - it: 'session can be customized when redis-cluster is disabled'
+  - it: 'session can be customized when redis (and redis-cluster) is disabled'
     template: templates/gitea/config.yaml
     set:
       redis-cluster:
         enabled: false
+      redis:
+        enabled: false
       gitea.config.session.PROVIDER: custom-provider
       gitea.config.session.PROVIDER_CONFIG: custom-provider-config
     asserts:

unittests/dependency-major-image-check.yaml

@@ -15,7 +15,7 @@ tests:
         matchRegex:
           path: spec.template.spec.containers[0].image
           # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
-          pattern: ^docker.io/bitnami/postgresql-repmgr:16.+$
+          pattern: ^docker.io/bitnami/postgresql-repmgr:17.+$
   - it: '[postgresql] ensures we detect major image version upgrades'
     template: charts/postgresql/templates/primary/statefulset.yaml
     set:
@@ -28,15 +28,30 @@ tests:
         matchRegex:
           path: spec.template.spec.containers[0].image
           # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
-          pattern: ^docker.io/bitnami/postgresql:16.+$
+          pattern: ^docker.io/bitnami/postgresql:17.+$
   - it: '[redis-cluster] ensures we detect major image version upgrades'
     template: charts/redis-cluster/templates/redis-statefulset.yaml
     set:
       redis-cluster:
         enabled: true
+      redis:
+        enabled: false
+    asserts:
+      - documentIndex: 0
+        matchRegex:
+          path: spec.template.spec.containers[0].image
+          # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
+          pattern: bitnami/redis-cluster:7.+$
+  - it: '[redis] ensures we detect major image version upgrades'
+    template: charts/redis/templates/master/application.yaml
+    set:
+      redis-cluster:
+        enabled: false
+      redis:
+        enabled: true
     asserts:
       - documentIndex: 0
         matchRegex:
           path: spec.template.spec.containers[0].image
           # IN CASE OF AN INTENTIONAL MAJOR BUMP, ADJUST THIS TEST
-          pattern: ^docker.io/bitnami/redis-cluster:7.+$
+          pattern: bitnami/redis:7.+$

unittests/deployment/HA.yaml

@@ -0,0 +1,59 @@
+suite: deployment template (HA)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: fails with multiple replicas and "GIT_GC_REPOS" enabled
+    template: templates/gitea/deployment.yaml
+    set:
+      replicaCount: 2
+      persistence:
+        accessModes:
+          - ReadWriteMany
+      gitea:
+        config:
+          cron:
+            GIT_GC_REPOS:
+              ENABLED: true
+    asserts:
+      - failedTemplate:
+          errorMessage: "Invoking the garbage collector via CRON is not yet supported when running with multiple replicas. Please set 'cron.GIT_GC_REPOS.enabled = false'."
+  - it: fails with multiple replicas and RWX file system not set
+    template: templates/gitea/deployment.yaml
+    set:
+      replicaCount: 2
+    asserts:
+      - failedTemplate:
+          errorMessage: 'When using multiple replicas, a RWX file system is required and gitea.persistence.accessModes[0] must be set to ReadWriteMany.'
+  - it: fails with multiple replicas and bleve issue indexer
+    template: templates/gitea/deployment.yaml
+    set:
+      replicaCount: 2
+      persistence:
+        accessModes:
+          - ReadWriteMany
+      gitea:
+        config:
+          indexer:
+            ISSUE_INDEXER_TYPE: bleve
+    asserts:
+      - failedTemplate:
+          errorMessage: "When using multiple replicas, the issue indexer (gitea.config.indexer.ISSUE_INDEXER_TYPE) must be set to a HA-ready provider such as 'meilisearch', 'elasticsearch' or 'db' (if the DB is HA-ready)."
+  - it: fails with multiple replicas and bleve repo indexer
+    template: templates/gitea/deployment.yaml
+    set:
+      replicaCount: 2
+      persistence:
+        accessModes:
+          - ReadWriteMany
+      gitea:
+        config:
+          indexer:
+            REPO_INDEXER_TYPE: bleve
+            REPO_INDEXER_ENABLED: true
+    asserts:
+      - failedTemplate:
+          errorMessage: "When using multiple replicas, the repo indexer (gitea.config.indexer.REPO_INDEXER_TYPE) must be set to 'meilisearch' or 'elasticsearch' or disabled."

unittests/deployment/basic.yaml

@@ -15,3 +15,17 @@ tests:
           kind: Deployment
           apiVersion: apps/v1
           name: forgejo-unittests
+  - it: deployment labels are set
+    template: templates/gitea/deployment.yaml
+    set:
+      deployment.labels:
+        hello: world
+    asserts:
+      - isSubset:
+          path: metadata.labels
+          content:
+            hello: world
+      - isSubset:
+          path: spec.template.metadata.labels
+          content:
+            hello: world

unittests/deployment/image-configuration.yaml

@@ -14,7 +14,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: 'codeberg.org/forgejo/forgejo:1.19.3-rootless'
+          value: 'code.forgejo.org/forgejo/forgejo:1.19.3-rootless'
   - it: tag override
     template: templates/gitea/deployment.yaml
     set:
@@ -22,7 +22,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: 'codeberg.org/forgejo/forgejo:1.19.4-rootless'
+          value: 'code.forgejo.org/forgejo/forgejo:1.19.4-rootless'
   - it: root-based image
     template: templates/gitea/deployment.yaml
     set:
@@ -30,7 +30,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: 'codeberg.org/forgejo/forgejo:1.19.3'
+          value: 'code.forgejo.org/forgejo/forgejo:1.19.3'
   - it: scoped registry
     template: templates/gitea/deployment.yaml
     set:
@@ -56,7 +56,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: 'codeberg.org/forgejo/forgejo:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a'
+          value: 'code.forgejo.org/forgejo/forgejo:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a'
   - it: image fullOverride (does not append rootless)
     template: templates/gitea/deployment.yaml
     set:
@@ -81,7 +81,7 @@ tests:
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: 'codeberg.org/forgejo/forgejo:1.19.3@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a'
+          value: 'code.forgejo.org/forgejo/forgejo:1.19.3@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a'
   - it: digest and global registry
     template: templates/gitea/deployment.yaml
     set:
@@ -91,3 +91,20 @@ tests:
       - equal:
           path: spec.template.spec.containers[0].image
           value: 'global.example.com/forgejo/forgejo:1.19.3-rootless@sha256:b28e8f3089b52ebe6693295df142f8c12eff354e9a4a5bfbb5c10f296c3a537a'
+  - it: correctly renders floating tag references
+    template: templates/gitea/deployment.yaml
+    set:
+      image.tag: 1.21 # use non-quoted value on purpose. See: https://gitea.com/gitea/helm-chart/issues/631
+    asserts:
+      - equal:
+          path: spec.template.spec.initContainers[0].image
+          value: 'code.forgejo.org/forgejo/forgejo:1.21-rootless'
+      - equal:
+          path: spec.template.spec.initContainers[1].image
+          value: 'code.forgejo.org/forgejo/forgejo:1.21-rootless'
+      - equal:
+          path: spec.template.spec.initContainers[2].image
+          value: 'code.forgejo.org/forgejo/forgejo:1.21-rootless'
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: 'code.forgejo.org/forgejo/forgejo:1.21-rootless'

unittests/deployment/ingress-configuration.yaml

@@ -15,9 +15,33 @@ tests:
           hosts:
             - '{{ .Values.global.giteaHostName }}'
     asserts:
+      - isKind:
+          of: Ingress
       - equal:
           path: spec.tls[0].hosts[0]
           value: 'gitea.example.com'
       - equal:
           path: spec.rules[0].host
           value: 'gitea.example.com'
+  - it: Ingress Class using TPL
+    set:
+      global.ingress.className: 'ingress-class'
+      ingress.className: '{{ .Values.global.ingress.className }}'
+      ingress.enabled: true
+      ingress.hosts[0].host: 'some-host'
+      ingress.tls:
+        - secretName: gitea-tls
+          hosts:
+            - 'some-host'
+    asserts:
+      - isKind:
+          of: Ingress
+      - equal:
+          path: spec.tls[0].hosts[0]
+          value: 'some-host'
+      - equal:
+          path: spec.rules[0].host
+          value: 'some-host'
+      - equal:
+          path: spec.ingressClassName
+          value: 'ingress-class'

unittests/deployment/route-configuration.yaml

@@ -0,0 +1,155 @@
+# $schema: https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
+suite: route template
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/route.yaml
+tests:
+  - it: hostname using TPL
+    set:
+      global.giteaHostName: 'gitea.example.com'
+      route.enabled: true
+      route.host: '{{ .Values.global.giteaHostName }}'
+    asserts:
+      - isKind:
+          of: Route
+      - equal:
+          path: spec.host
+          value: 'gitea.example.com'
+      - notExists:
+          path: spec.wildcardPolicy
+  - it: wildcard policy
+    set:
+      global.giteaHostName: 'gitea.example.com'
+      route.enabled: true
+      route.wildcardPolicy: 'Subdomain'
+    asserts:
+      - isKind:
+          of: Route
+      - equal:
+          path: spec.wildcardPolicy
+          value: 'Subdomain'
+  - it: existing certificate
+    set:
+      route.enabled: true
+      route.tls.existingSecret: certificate-secret
+      route.tls.certificate: |
+        -----BEGIN CERTIFICATE-----
+        ...
+        -----END CERTIFICATE-----
+      route.tls.privateKey: |
+        -----BEGIN PRIVATE KEY-----
+        ...
+        -----END PRIVATE KEY-----
+      route.tls.caCertificate: |
+        -----BEGIN CERTIFICATE-----
+        ...
+        -----END CERTIFICATE-----
+        -----BEGIN CERTIFICATE-----
+        ...
+        -----END CERTIFICATE-----
+    asserts:
+      - isKind:
+          of: Route
+      - equal:
+          path: spec.tls.externalCertificate
+          value: certificate-secret
+      - notExists:
+          path: spec.tls.certificate
+      - notExists:
+          path: spec.tls.key
+      - notExists:
+          path: spec.tls.caCertificate
+  - it: valid certificate values
+    set:
+      route.enabled: true
+      route.tls.certificate: |
+        -----BEGIN CERTIFICATE-----
+        ...
+        -----END CERTIFICATE-----
+      route.tls.privateKey: |
+        -----BEGIN PRIVATE KEY-----
+        ...
+        -----END PRIVATE KEY-----
+      route.tls.caCertificate: |
+        -----BEGIN CERTIFICATE-----
+        ...
+        -----END CERTIFICATE-----
+        -----BEGIN CERTIFICATE-----
+        ...
+        -----END CERTIFICATE-----
+    asserts:
+      - isKind:
+          of: Route
+      - notExists:
+          path: spec.tls.externalCertificate
+      - equal:
+          path: spec.tls.certificate
+          value: |
+            -----BEGIN CERTIFICATE-----
+            ...
+            -----END CERTIFICATE-----
+      - equal:
+          path: spec.tls.key
+          value: |
+            -----BEGIN PRIVATE KEY-----
+            ...
+            -----END PRIVATE KEY-----
+      - equal:
+          path: spec.tls.caCertificate
+          value: |
+            -----BEGIN CERTIFICATE-----
+            ...
+            -----END CERTIFICATE-----
+            -----BEGIN CERTIFICATE-----
+            ...
+            -----END CERTIFICATE-----
+  - it: missing certificate values
+    set:
+      route.enabled: true
+      route.tls.privateKey: |
+        -----BEGIN PRIVATE KEY-----
+        ...
+        -----END PRIVATE KEY-----
+      route.tls.caCertificate: |
+        -----BEGIN CERTIFICATE-----
+        ...
+        -----END CERTIFICATE-----
+        -----BEGIN CERTIFICATE-----
+        ...
+        -----END CERTIFICATE-----
+    asserts:
+      - failedTemplate:
+          errorMessage: certificate, privateKey and caCertificate must be specified together
+  - it: missing privateKey values
+    set:
+      route.enabled: true
+      route.tls.certificate: |
+        -----BEGIN CERTIFICATE-----
+        ...
+        -----END CERTIFICATE-----
+      route.tls.caCertificate: |
+        -----BEGIN CERTIFICATE-----
+        ...
+        -----END CERTIFICATE-----
+        -----BEGIN CERTIFICATE-----
+        ...
+        -----END CERTIFICATE-----
+    asserts:
+      - failedTemplate:
+          errorMessage: certificate, privateKey and caCertificate must be specified together
+  - it: missing caCertificate values
+    set:
+      route.enabled: true
+      route.tls.certificate: |
+        -----BEGIN CERTIFICATE-----
+        ...
+        -----END CERTIFICATE-----
+      route.tls.privateKey: |
+        -----BEGIN PRIVATE KEY-----
+        ...
+        -----END PRIVATE KEY-----
+    asserts:
+      - failedTemplate:
+          errorMessage: certificate, privateKey and caCertificate must be specified together

unittests/deployment/security-context-normal.yaml

@@ -0,0 +1,25 @@
+# $schema: https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
+suite: deployment template (security context)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: FS group set to 1000
+    template: templates/gitea/deployment.yaml
+    set:
+      image.rootless: false
+    asserts:
+      - equal:
+          path: spec.template.spec.securityContext.fsGroup
+          value: 1000
+  - it: run configure-gitea with UID 1000
+    template: templates/gitea/deployment.yaml
+    set:
+      image.rootless: false
+    asserts:
+      - equal:
+          path: spec.template.spec.initContainers[?(@.name == 'configure-gitea')].securityContext.runAsUser
+          value: 1000

unittests/deployment/security-context-ocp.yaml

@@ -0,0 +1,25 @@
+# $schema: https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json
+suite: deployment template (security context)
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/deployment.yaml
+  - templates/gitea/config.yaml
+tests:
+  - it: FS group not set
+    template: templates/gitea/deployment.yaml
+    set:
+      image.rootless: false
+      global.compatibility.openshift.adaptSecurityContext: force
+    asserts:
+      - notExists:
+          path: spec.template.spec.securityContext.fsGroup
+  - it: configure-gitea without runaAsUser
+    template: templates/gitea/deployment.yaml
+    set:
+      image.rootless: false
+      global.compatibility.openshift.adaptSecurityContext: force
+    asserts:
+      - notExists:
+          path: spec.template.spec.initContainers[?(@.name == 'configure-gitea')].securityContext.runAsUser

unittests/deployment/svc-configuration.yaml

@@ -49,3 +49,80 @@ tests:
     asserts:
       - exists:
           path: metadata.labels["app"]
+
+  - it: uses default ports to ssh-svc
+    template: templates/gitea/ssh-svc.yaml
+    asserts:
+      - equal:
+          path: spec.ports[0].port
+          value: 22
+      - equal:
+          path: spec.ports[0].targetPort
+          value: ssh
+
+  - it: render service.ssh.loadBalancerClass if set and type is LoadBalancer
+    template: templates/gitea/ssh-svc.yaml
+    set:
+      service:
+        ssh:
+          loadBalancerClass: 'example.com/class'
+          type: LoadBalancer
+          loadBalancerIP: '1.2.3.4'
+          loadBalancerSourceRanges:
+            - '1.2.3.4/32'
+            - '5.6.7.8/32'
+    asserts:
+      - equal:
+          path: spec.loadBalancerClass
+          value: 'example.com/class'
+      - equal:
+          path: spec.loadBalancerIP
+          value: '1.2.3.4'
+      - equal:
+          path: spec.loadBalancerSourceRanges
+          value: ['1.2.3.4/32', '5.6.7.8/32']
+
+  - it: does not render when loadbalancer properties are set but type is not loadBalancerClass
+    template: templates/gitea/http-svc.yaml
+    set:
+      service:
+        http:
+          type: ClusterIP
+          loadBalancerClass: 'example.com/class'
+          loadBalancerIP: '1.2.3.4'
+          loadBalancerSourceRanges:
+            - '1.2.3.4/32'
+            - '5.6.7.8/32'
+    asserts:
+      - notExists:
+          path: spec.loadBalancerClass
+      - notExists:
+          path: spec.loadBalancerIP
+      - notExists:
+          path: spec.loadBalancerSourceRanges
+
+  - it: does not render loadBalancerClass by default even when type is LoadBalancer
+    template: templates/gitea/http-svc.yaml
+    set:
+      service:
+        http:
+          type: LoadBalancer
+          loadBalancerIP: '1.2.3.4'
+    asserts:
+      - notExists:
+          path: spec.loadBalancerClass
+      - equal:
+          path: spec.loadBalancerIP
+          value: '1.2.3.4'
+
+  - it: both ssh and http services exist
+    templates:
+      - templates/gitea/ssh-svc.yaml
+      - templates/gitea/http-svc.yaml
+    asserts:
+      - matchRegex:
+          path: metadata.name
+          pattern: '^gitea-unittests-forgejo-(?:ssh|http)$'
+      - matchRegex:
+          path: spec.ports[0].name
+          pattern: '^(?:ssh|http)$'

unittests/init/init_directory_structure.sh-rootless.yaml

@@ -1,6 +1,6 @@
-suite: Init template
+suite: Init template (rootless)
 release:
-  name: gitea-unittests
+  name: forgejo-unittests
   namespace: testing
 templates:
   - templates/gitea/init.yaml
@@ -67,7 +67,6 @@ tests:
               chown 1000:1000 "${GNUPGHOME}"
             fi
   - it: it does not chown /data even when image.fullOverride is set
-    template: templates/gitea/init.yaml
     set:
       image.fullOverride: gitea/gitea:1.20.5
     asserts:

unittests/pvc/pvc-configuration.yaml

@@ -0,0 +1,19 @@
+suite: PVC template
+release:
+  name: gitea-unittests
+  namespace: testing
+templates:
+  - templates/gitea/pvc.yaml
+tests:
+  - it: Storage Class using TPL
+    set:
+      global.persistence.storageClass: 'storage-class'
+      persistence.enabled: true
+      persistence.create: true
+      persistence.storageClass: '{{ .Values.global.persistence.storageClass }}'
+    asserts:
+      - isKind:
+          of: PersistentVolumeClaim
+      - equal:
+          path: spec.storageClassName
+          value: 'storage-class'

unittests/values-conflicting-checks.yaml

@@ -0,0 +1,14 @@
+suite: Values conflicting checks
+release:
+  name: gitea-unittests
+  namespace: testing
+tests:
+  - it: fails when trying to configure redis and redis-cluster the same time
+    set:
+      redis-cluster:
+        enabled: true
+      redis:
+        enabled: true
+    asserts:
+      - failedTemplate:
+          errorMessage: redis and redis-cluster cannot be enabled at the same time. Please only choose one.

values.yaml

@@ -20,6 +20,10 @@ global:
   #   hostnames:
   #   - example.com
 
+## @param namespaceOverride String to fully override common.names.namespace
+##
+namespaceOverride: ''
+
 ## @param replicaCount number of replicas for the deployment
 replicaCount: 1
 
@@ -39,13 +43,13 @@ clusterDomain: cluster.local
 ## @section Image
 ## @param image.registry image registry, e.g. gcr.io,docker.io
 ## @param image.repository Image to start for this pod
-## @param image.tag Visit: [Image tag](https://codeberg.org/forgejo/-/packages/container/forgejo/versions). Defaults to `appVersion` within Chart.yaml.
+## @param image.tag Visit: [Image tag](https://code.forgejo.org/forgejo/-/packages/container/forgejo/versions). Defaults to `appVersion` within Chart.yaml.
 ## @param image.digest Image digest. Allows to pin the given image tag. Useful for having control over mutable tags like `latest`
 ## @param image.pullPolicy Image pull policy
 ## @param image.rootless Wether or not to pull the rootless version of Forgejo
 ## @param image.fullOverride Completely overrides the image registry, path/image, tag and digest. **Adjust `image.rootless` accordingly and review [Rootless defaults](#rootless-defaults).**
 image:
-  registry: codeberg.org
+  registry: code.forgejo.org
   repository: forgejo/forgejo
   # Overrides the image tag whose default is the chart appVersion.
   tag: ''
@@ -97,7 +101,7 @@ podDisruptionBudget: {}
 service:
   ## @param service.http.type Kubernetes service type for web traffic
   ## @param service.http.port Port number for web traffic
-  ## @param service.http.clusterIP ClusterIP setting for http autosetup for deployment is None
+  ## @param service.http.clusterIP ClusterIP setting for http autosetup for deployment
   ## @param service.http.loadBalancerIP LoadBalancer IP setting
   ## @param service.http.nodePort NodePort for http service
   ## @param service.http.externalTrafficPolicy If `service.http.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation
@@ -107,10 +111,11 @@ service:
   ## @param service.http.loadBalancerSourceRanges Source range filter for http loadbalancer
   ## @param service.http.annotations HTTP service annotations
   ## @param service.http.labels HTTP service additional labels
+  ## @param service.http.loadBalancerClass Loadbalancer class
   http:
     type: ClusterIP
     port: 3000
-    clusterIP: None
+    clusterIP:
     loadBalancerIP:
     nodePort:
     externalTrafficPolicy:
@@ -120,9 +125,10 @@ service:
     loadBalancerSourceRanges: []
     annotations: {}
     labels: {}
+    loadBalancerClass:
   ## @param service.ssh.type Kubernetes service type for ssh traffic
   ## @param service.ssh.port Port number for ssh traffic
-  ## @param service.ssh.clusterIP ClusterIP setting for ssh autosetup for deployment is None
+  ## @param service.ssh.clusterIP ClusterIP setting for ssh autosetup for deployment
   ## @param service.ssh.loadBalancerIP LoadBalancer IP setting
   ## @param service.ssh.nodePort NodePort for ssh service
   ## @param service.ssh.externalTrafficPolicy If `service.ssh.type` is `NodePort` or `LoadBalancer`, set this to `Local` to enable source IP preservation
@@ -133,10 +139,11 @@ service:
   ## @param service.ssh.loadBalancerSourceRanges Source range filter for ssh loadbalancer
   ## @param service.ssh.annotations SSH service annotations
   ## @param service.ssh.labels SSH service additional labels
+  ## @param service.ssh.loadBalancerClass Loadbalancer class
   ssh:
     type: ClusterIP
     port: 22
-    clusterIP: None
+    clusterIP:
     loadBalancerIP:
     nodePort:
     externalTrafficPolicy:
@@ -147,6 +154,7 @@ service:
     loadBalancerSourceRanges: []
     annotations: {}
     labels: {}
+    loadBalancerClass:
 
 ## @section Ingress
 ## @param ingress.enabled Enable ingress
@@ -156,7 +164,6 @@ service:
 ## @param ingress.hosts[0].paths[0].path Default Ingress path
 ## @param ingress.hosts[0].paths[0].pathType Ingress path type
 ## @param ingress.tls Ingress tls settings
-## @extra ingress.apiVersion Specify APIVersion of ingress object. Mostly would only be used for argocd.
 ingress:
   enabled: false
   # className: nginx
@@ -174,9 +181,48 @@ ingress:
   #  - secretName: chart-example-tls
   #    hosts:
   #      - git.example.com
-  # Mostly for argocd or any other CI that uses `helm template | kubectl apply` or similar
-  # If helm doesn't correctly detect your ingress API version you can set it here.
-  # apiVersion: networking.k8s.io/v1
+
+## @section Route
+## @param route.enabled Enable route
+## @param route.annotations Route annotations
+## @param route.host Host to use for the route (will be assigned automatically by OKD / OpenShift is not defined)
+## @param route.wildcardPolicy Wildcard policy if any for the route, currently only 'Subdomain' or 'None' is allowed.
+## @param route.tls.termination termination type (see [OKD documentation](https://docs.okd.io/latest/rest_api/network_apis/route-route-openshift-io-v1.html#spec-tls))
+## @param route.tls.insecureEdgeTerminationPolicy the desired behavior for insecure connections to a route (e.g. with http)
+## @param route.tls.existingSecret the name of a predefined secret of type kubernetes.io/tls with both key (tls.crt and tls.key) set accordingly (if defined attributes 'certificate', 'caCertificate' and 'privateKey' are ignored)
+## @param route.tls.certificate PEM encoded single certificate
+## @param route.tls.privateKey PEM encoded private key
+## @param route.tls.caCertificate PEM encoded CA certificate or chain that issued the certificate
+## @param route.tls.destinationCACertificate PEM encoded CA certificate used to verify the authenticity of final end point when 'termination' is set to 'passthrough' (ignored otherwise)
+route:
+  enabled: false
+  annotations: {}
+  host:
+  wildcardPolicy:
+  tls:
+    termination: edge
+    insecureEdgeTerminationPolicy: Redirect
+    existingSecret:
+    certificate:
+    # certificate: |-
+    # -----BEGIN CERTIFICATE-----
+    # ...
+    # -----END CERTIFICATE-----
+    privateKey:
+    # privateKey: |-
+    # -----BEGIN PRIVATE KEY-----
+    # ...
+    # -----END PRIVATE KEY-----
+    caCertificate:
+    # caCertificate: |-
+    # -----BEGIN CERTIFICATE-----
+    # ...
+    # -----END CERTIFICATE-----
+    destinationCACertificate:
+    # destinationCACertificate: |-
+    # -----BEGIN CERTIFICATE-----
+    # ...
+    # -----END CERTIFICATE-----
 
 ## @section deployment
 #
@@ -323,7 +369,7 @@ initContainers:
 #
 ## @param signing.enabled Enable commit/action signing
 ## @param signing.gpgHome GPG home directory
-## @param signing.privateKey Inline private gpg key for signed Forgejo actions
+## @param signing.privateKey Inline private GPG key for signed internal Git activity
 ## @param signing.existingSecret Use an existing secret to store the value of `signing.privateKey`
 signing:
   enabled: false
@@ -342,19 +388,23 @@ gitea:
   ## @param gitea.admin.existingSecret Use an existing secret to store admin user credentials
   ## @param gitea.admin.password Password for the Forgejo admin user
   ## @param gitea.admin.email Email for the Forgejo admin user
+  ## @param gitea.admin.passwordMode Mode for how to set/update the admin user password. Options are: initialOnlyNoReset, initialOnlyRequireReset, and keepUpdated
   admin:
     # existingSecret: gitea-admin-secret
     existingSecret:
     username: gitea_admin
     password: r8sA8CPHD9!bt6d
     email: 'gitea@local.domain'
+    passwordMode: keepUpdated
 
   ## @param gitea.metrics.enabled Enable Forgejo metrics
   ## @param gitea.metrics.serviceMonitor.enabled Enable Forgejo metrics service monitor
+  ## @param gitea.metrics.serviceMonitor.namespace Namespace in which Prometheus is running
   metrics:
     enabled: false
     serviceMonitor:
       enabled: false
+      namespace: ''
       #  additionalLabels:
       #    prometheus-release: prom1
 
@@ -391,18 +441,6 @@ gitea:
     #   customProfileUrl:
     #   customEmailUrl:
 
-  ## @param gitea.config.server.SSH_PORT SSH port for rootlful Forgejo image
-  ## @param gitea.config.server.SSH_LISTEN_PORT SSH port for rootless Forgejo image
-  config:
-    #  APP_NAME: "Forgejo: Git with a cup of tea"
-    #  RUN_MODE: dev
-    server:
-      SSH_PORT: 22 # rootful image
-      SSH_LISTEN_PORT: 2222 # rootless image
-  #
-  #  security:
-  #    PASSWORD_COMPLEXITY: spec
-
   ## @param gitea.additionalConfigSources Additional configuration from secret or configmap
   additionalConfigSources: []
   #   - secret:
@@ -420,6 +458,158 @@ gitea:
   ssh:
     logLevel: 'INFO'
 
+  ## @section `app.ini` overrides
+  ## @descriptionStart
+  ## Every value described in the [Cheat
+  ## Sheet](https://forgejo.org/docs/latest/admin/config-cheat-sheet/) can be
+  ## set as a Helm value. Configuration sections map to (lowercased) YAML
+  ## blocks, while the keys themselves remain in all caps.
+  ## @descriptionEnd
+  config:
+    # values in the DEFAULT section
+    # (https://forgejo.org/docs/latest/admin/config-cheat-sheet/#overall-default)
+    # are un-namespaced
+
+    ## @param gitea.config.APP_NAME Application name, used in the page title
+    APP_NAME: 'Forgejo: Beyond coding. We forge.'
+
+    ## @param gitea.config.RUN_MODE Application run mode, affects performance and debugging: `dev` or `prod`
+    RUN_MODE: prod
+
+    ## @param gitea.config.repository General repository settings
+    repository: {}
+
+    ## @param gitea.config.cors Cross-origin resource sharing settings
+    cors: {}
+
+    ## @param gitea.config.ui User interface settings
+    ui: {}
+
+    ## @param gitea.config.markdown Markdown parser settings
+    markdown: {}
+
+    ## @param gitea.config.server [object] General server settings
+    server:
+      SSH_PORT: 22 # rootful image
+      SSH_LISTEN_PORT: 2222 # rootless image
+
+    ## @param gitea.config.database Database configuration (only necessary with an [externally managed DB](https://code.forgejo.org/forgejo-helm/forgejo-helm#external-database)).
+    database: {}
+
+    ## @param gitea.config.indexer Settings for what content is indexed and how
+    indexer: {}
+
+    ## @param gitea.config.queue Job queue configuration
+    queue: {}
+
+    ## @param gitea.config.admin Admin user settings
+    admin: {}
+
+    ## @param gitea.config.security Site security settings
+    security: {}
+
+    ## @param gitea.config.camo Settings for the [camo](https://github.com/cactus/go-camo) media proxy server (disabled by default)
+    camo: {}
+
+    ## @param gitea.config.openid Configuration for authentication with OpenID (disabled by default)
+    openid: {}
+
+    ## @param gitea.config.oauth2_client OAuth2 client settings
+    oauth2_client: {}
+
+    ## @param gitea.config.service Configuration for miscellaneous Forgejo services
+    service: {}
+
+    ## @param gitea.config.ssh.minimum_key_sizes SSH minimum key sizes
+    ssh.minimum_key_sizes: {}
+
+    ## @param gitea.config.webhook Webhook settings
+    webhook: {}
+
+    ## @param gitea.config.mailer Mailer configuration (disabled by default)
+    mailer: {}
+
+    ## @param gitea.config.email.incoming Configuration for handling incoming mail (disabled by default)
+    email.incoming: {}
+
+    ## @param gitea.config.cache Cache configuration
+    cache: {}
+
+    ## @param gitea.config.session Session/cookie handling
+    session: {}
+
+    ## @param gitea.config.picture User avatar settings
+    picture: {}
+
+    ## @param gitea.config.project Project board defaults
+    project: {}
+
+    ## @param gitea.config.attachment Issue and PR attachment configuration
+    attachment: {}
+
+    ## @param gitea.config.log Logging configuration
+    log: {}
+
+    ## @param gitea.config.cron Cron job configuration
+    cron: {}
+
+    ## @param gitea.config.git Global settings for Git
+    git: {}
+
+    ## @param gitea.config.metrics Settings for the Prometheus endpoint (disabled by default)
+    metrics: {}
+
+    ## @param gitea.config.api Settings for the Swagger API documentation endpoints
+    api: {}
+
+    ## @param gitea.config.oauth2 Settings for the [OAuth2 provider](https://forgejo.org/docs/latest/admin/oauth2-provider/)
+    oauth2: {}
+
+    ## @param gitea.config.i18n Internationalization settings
+    i18n: {}
+
+    ## @param gitea.config.markup Configuration for advanced markup processors
+    markup: {}
+
+    ## @param gitea.config.highlight.mapping File extension to language mapping overrides for syntax highlighting
+    highlight.mapping: {}
+
+    ## @param gitea.config.time Locale settings
+    time: {}
+
+    ## @param gitea.config.migrations Settings for Git repository migrations
+    migrations: {}
+
+    ## @param gitea.config.federation Federation configuration
+    federation: {}
+
+    ## @param gitea.config.packages Package registry settings
+    packages: {}
+
+    ## @param gitea.config.mirror Configuration for repository mirroring
+    mirror: {}
+
+    ## @param gitea.config.lfs Large File Storage configuration
+    lfs: {}
+
+    ## @param gitea.config.repo-avatar Repository avatar storage configuration
+    repo-avatar: {}
+
+    ## @param gitea.config.avatar User/org avatar storage configuration
+    avatar: {}
+
+    ## @param gitea.config.storage General storage settings
+    storage: {}
+
+    ## @param gitea.config.proxy Proxy configuration (disabled by default)
+    proxy: {}
+
+    ## @param gitea.config.actions Configuration for [Forgejo Actions](https://forgejo.org/docs/latest/user/actions/)
+    actions: {}
+
+    ## @param gitea.config.other Uncategorized configuration options
+    other: {}
+
   ## @section LivenessProbe
   #
   ## @param gitea.livenessProbe.enabled Enable liveness probe
@@ -443,7 +633,8 @@ gitea:
   ## @section ReadinessProbe
   #
   ## @param gitea.readinessProbe.enabled Enable readiness probe
-  ## @param gitea.readinessProbe.tcpSocket.port Port to probe for readiness
+  ## @param gitea.readinessProbe.httpGet.path Path to probe for readiness
+  ## @param gitea.readinessProbe.httpGet.port Port to probe for readiness
   ## @param gitea.readinessProbe.initialDelaySeconds Initial delay before readiness probe is initiated
   ## @param gitea.readinessProbe.timeoutSeconds Timeout for readiness probe
   ## @param gitea.readinessProbe.periodSeconds Period for readiness probe
@@ -452,7 +643,8 @@ gitea:
   # Modify the readiness probe for your needs or completely disable it by commenting out.
   readinessProbe:
     enabled: true
-    tcpSocket:
+    httpGet:
+      path: /api/healthz
       port: http
     initialDelaySeconds: 5
     timeoutSeconds: 1
@@ -483,10 +675,11 @@ gitea:
 ## @section Redis® Cluster
 ## @descriptionStart
 ## Redis® Cluster is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/redis-cluster) if enabled in the values.
-## Complete Configuration can be taken from their website.
+## Full configuration options are available on their website.
+## Redis cluster and [Redis](#redis) cannot be enabled at the same time.
 ## @descriptionEnd
 #
-## @param redis-cluster.enabled Enable redis
+## @param redis-cluster.enabled Enable redis cluster
 ## @param redis-cluster.usePassword Whether to use password authentication
 ## @param redis-cluster.cluster.nodes Number of redis cluster master nodes
 ## @param redis-cluster.cluster.replicas Number of redis cluster master node replicas
@@ -497,10 +690,30 @@ redis-cluster:
     nodes: 3 # default: 6
     replicas: 0 # default: 1
 
+## @section Redis®
+## @descriptionStart
+## Redis® is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/redis) if enabled in the values.
+## Full configuration options are available on their website.
+## Redis and [Redis cluster](#redis-cluster) cannot be enabled at the same time.
+## @descriptionEnd
+#
+## @param redis.enabled Enable redis standalone or replicated
+## @param redis.architecture Whether to use standalone or replication
+## @param redis.global.redis.password Required password
+## @param redis.master.count Number of Redis master instances to deploy
+redis:
+  enabled: false
+  architecture: standalone
+  global:
+    redis:
+      password: changeme
+  master:
+    count: 1
+
 ## @section PostgreSQL HA
 ## @descriptionStart
 ## PostgreSQL HA is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/postgresql-ha) if enabled in the values.
-## Complete Configuration can be taken from their website.
+## Full configuration options are available on their website.
 ## @descriptionEnd
 #
 ## @param postgresql-ha.enabled Enable PostgreSQL HA chart
@@ -512,7 +725,7 @@ redis-cluster:
 ## @param postgresql-ha.postgresql.postgresPassword postgres Password
 ## @param postgresql-ha.pgpool.adminPassword pgpool adminPassword
 ## @param postgresql-ha.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`)
-## @param postgresql-ha.primary.persistence.size PVC Storage Request for PostgreSQL-ha volume
+## @param postgresql-ha.primary.persistence.size PVC Storage Request for PostgreSQL HA volume
 postgresql-ha:
   global:
     postgresql:
@@ -536,7 +749,7 @@ postgresql-ha:
 ## @section PostgreSQL
 ## @descriptionStart
 ## PostgreSQL is loaded as a dependency from [Bitnami](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) if enabled in the values.
-## Complete Configuration can be taken from their website.
+## Full configuration options are available on their website.
 ## @descriptionEnd
 #
 ## @param postgresql.enabled Enable PostgreSQL
@@ -563,8 +776,8 @@ postgresql:
 # By default, removed or moved settings that still remain in a user defined values.yaml will cause Helm to fail running the install/update.
 # Set it to false to skip this basic validation check.
 ## @section Advanced
-## @param checkDeprecation Set it to false to skip this basic validation check.
-## @param test.enabled Set it to false to disable test-connection Pod.
+## @param checkDeprecation Whether to run this basic validation check.
+## @param test.enabled Whether to use test-connection Pod.
 ## @param test.image.name Image name for the wget container used in the test-connection Pod.
 ## @param test.image.tag Image tag for the wget container used in the test-connection Pod.
 checkDeprecation: true
@@ -574,6 +787,6 @@ test:
     name: busybox
     tag: latest
 
-## @param extraDeploy Array of extra objects to deploy with the release
+## @param extraDeploy Array of extra objects to deploy with the release.
 ##
 extraDeploy: []