From 89b777bf6c643448bfd9c27387ac50eca772b813 Mon Sep 17 00:00:00 2001 From: tegwick Date: Fri, 27 Mar 2026 13:23:53 +0100 Subject: [PATCH] feat(gitea): take ownership of Gitea Helm values (T06) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Receive gitea-values.sops.yaml from railiance-cluster — S5 now owns the Gitea deployment lifecycle per ADR-003 boundary rules. Add gitea-deploy and gitea-status Makefile targets. Update SCOPE.md to reflect boundary violation resolved. Co-Authored-By: Claude Sonnet 4.6 --- Makefile | 19 ++++++++++++++- SCOPE.md | 9 ++++---- helm/gitea-values.sops.yaml | 46 +++++++++++++++++++++++++++++++++++++ 3 files changed, 69 insertions(+), 5 deletions(-) create mode 100644 helm/gitea-values.sops.yaml diff --git a/Makefile b/Makefile index 6e6089c..d218039 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,22 @@ SHELL := /usr/bin/env bash .DEFAULT_GOAL := help +##@ Gitea + +gitea-deploy: ## Deploy / upgrade Gitea (S5 workload) + helm upgrade --install gitea gitea-charts/gitea \ + -f <(sops -d helm/gitea-values.sops.yaml) \ + --namespace gitea --create-namespace + +gitea-status: ## Check Gitea health + kubectl get pods -n gitea + kubectl cnpg status gitea-db -n databases + +##@ Help + help: ## Show this help - @grep -E '^[a-zA-Z0-9_-]+:.*?## ' $(MAKEFILE_LIST) | sort | sed 's/:.*##/: /' + @awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n make \033[36m\033[0m\n"} \ + /^[a-zA-Z_-]+:.*?##/ { printf " \033[36m%-20s\033[0m %s\n", $$1, $$2 } \ + /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) }' $(MAKEFILE_LIST) + +.PHONY: gitea-deploy gitea-status help diff --git a/SCOPE.md b/SCOPE.md index 00f3bff..e5a6269 100644 --- a/SCOPE.md +++ b/SCOPE.md @@ -53,10 +53,10 @@ Railiance is structured as five independent repos, one per OAS (Open Application ## Current State -- Status: experimental (placeholder; no active work) -- Implementation: empty (workplans/ has only .gitkeep; no Helm charts yet) -- Stability: n/a -- Usage: will be used after railiance-platform (S3) is operational +- Status: active (Gitea Helm values now owned by S5; boundary violation resolved) +- Implementation: Gitea is deployed and operational. Helm values (`helm/gitea-values.sops.yaml`) are now managed from this repo (S5) — moved from railiance-cluster in RAIL-HO-WP-0004-T06. Gitea uses an external cnpg database (`gitea-db` in the `databases` namespace) and standalone Valkey. +- Stability: Gitea stable; S5 layer now owns the Gitea deployment lifecycle +- Usage: Gitea serves as the git hosting platform for all Railiance and Custodian repos --- @@ -99,3 +99,4 @@ keywords: [gitea, coulomb, webapp, helm, application, deployment, workload] - Start with: `CLAUDE.md` (session protocol, boundary rules) - Key files / directories: `workplans/` (currently empty), `Makefile` - Pre-conditions: all four lower layers (S1–S4) must be converged and verified +- Key files: `helm/gitea-values.sops.yaml` (Gitea Helm values, SOPS-encrypted), `releases/gitea/values.yaml` (legacy plain values — superseded) diff --git a/helm/gitea-values.sops.yaml b/helm/gitea-values.sops.yaml new file mode 100644 index 0000000..1891089 --- /dev/null +++ b/helm/gitea-values.sops.yaml @@ -0,0 +1,46 @@ +#ENC[AES256_GCM,data:RznLDXAkDpHVhaXHZrlMYo6z8+cZyTjRMkku6XrF2Zjzulkt+Ve/8Q==,iv:EHVhhpSUcDGR1ARNfNbSdJ0Gjjq6CyEfXMU+cAnIgc4=,tag:0OWESOcslvCB5wHH6IWE6g==,type:comment] +#ENC[AES256_GCM,data:RJvbPFrBALVhJm5+rkcdgTqE9G59vRnfjddwXU+G+B3u1saEttf98sTXV/Mim/FK6gAilvSr,iv:h1QLn5NthfdVAayrpvqcPzTXV1sEQATNREAHLRT6c1Y=,tag:32UpAGaIyDbFnnAa3zveAQ==,type:comment] +# +#ENC[AES256_GCM,data:mzm+3mIPOZBEuFAZUppd3i2UnJ94mP+pXGVLdkfZ8SOTDgnw6dJa1A==,iv:cO/dj0wp9MlEUUcYU4qOGG1qJ2LWHHgRGoYii7aKMMg=,tag:4jiRnvmaRa3nDoSJ2W6sWw==,type:comment] +#ENC[AES256_GCM,data:h7vlbkUu+TMbRU83E+nx5F/4FCcovoIPdgRmD4/QVUFPimDGxZ6CtnhJbYQjVw==,iv:kXozUXpTdhy+MPk2y956Pqofww/iDVLUE/bSH0+mHaU=,tag:LsB6Ijmw/sT0d3S+rMbAsQ==,type:comment] +#ENC[AES256_GCM,data:Uw46ZrbHN5fxwHV/mU9t+z2xYkRE0gUxmlzRfzPVt31qH7SwxvVvcSMRIw==,iv:/nnvTn3ABdKBtCRytjg73T4jl3w+8JRZIaSsw7l9Iyk=,tag:Bn4WRZDMj6lc0o8Z6d/ZXQ==,type:comment] +#ENC[AES256_GCM,data:6871AIBTjtOWM5CCXlo/MDCYMhBdl4kVCQnxhlW7cyZ6Ucy+0Tg3yn5LO28DDQl2y8f/2ACfttT4KHiGqe7bhg0a0DouN1NLRmXlxNUAADo88FqW33C41EBJ7v50ng==,iv:qOjN0OBPaNNBC33CXwGUPVNdk+eerCa5mOdkcqwQKXM=,tag:U0xLzSBcAR4ILRQHGaoWLg==,type:comment] +# +#ENC[AES256_GCM,data:FRaxggcnSudMRfPAMH3nzX04cwkWQ4LhyGk0qMmH5tiSPYMnVoedoLN6TEnk5skCg6UmOaV2jcJo36zpkKoQBf6u,iv:CQoIAYQO09d+jqsvgycCFHZme9SFhgGWaut3JjeEQ5w=,tag:0i56ycYqWuKMOcjentGplw==,type:comment] +#ENC[AES256_GCM,data:weGb36lC8sz19REjFOI8EagSEnDisNSHteSr+SZmTWAbfxnUk+/G4d5q/KMWHS+Y0SimGbufwDuvj0AiwIl0GZ/46Lqfdg==,iv:IIZCqRFIEp0IxGQkv5aTknJyYA3DG7vxtu6CGhrUh0k=,tag:/X3OGfgurgiNsz1vf6oPxw==,type:comment] +gitea: + config: + server: + DOMAIN: ENC[AES256_GCM,data:R2HrjW5sW0nvDNIWd0G00ReltOA=,iv:CWZ+Fy+y/hIKNzqCTstaGFpgHgDJvEe6mF0Q7QKbvmE=,tag:+oA9F7xTgaSXLIPmYNkY5A==,type:str] + ROOT_URL: ENC[AES256_GCM,data:li2QBHIkm3hVSqGbzuBG2os8qx7tHuiyOttn,iv:2q0LXgp+bhv7t4FG1kBNNlq1ZqSpIpUf7e0hdKhJosg=,tag:h+Mu0/jo/pb78qOWU7W0TQ==,type:str] + SSH_DOMAIN: ENC[AES256_GCM,data:i0Vb19m1fbr4TluqQxjFg73X0eA=,iv:ff2Nhmpdc+S8lTye87fj0i5MFyIl4Mhq8+awknKlbTQ=,tag:lPGppk9JT7wR5thdwlmjTQ==,type:str] +postgresql-ha: + postgresql: + #ENC[AES256_GCM,data:kRJ/o1D24opEpW87UbrSWzGjOAgRD0GTMrP9wI2x9xY=,iv:hepYzpp2stw6zjHpS2vr84rZrgifhEBK/UovRUWoV6c=,tag:XDwJc1rbI2F9gEr6o5tzgw==,type:comment] + password: ENC[AES256_GCM,data:AkkKp+w=,iv:juctW3iHu67VJ8aTOW0XmqCyzr/mXnQ6g4/1G+i+2rY=,tag:LCfo9IyhBMpqEdtMy/iNaA==,type:str] + #ENC[AES256_GCM,data:w8IVl9bCaSuivbgZ0XGH9NiM6lb3j7x9WX/hnIawG4ka6ayzkE/J3hf3dHuODQ==,iv:SbtCWprptkkCu8GIOQeh6gAYLuD+T1dyxZE1BOOLMns=,tag:Fa00ndoNxRIcSXDZFaH08Q==,type:comment] + postgresPassword: ENC[AES256_GCM,data:2BxdJ++kXX3t,iv:sARgDgLtsKve/KnqMxH2T8bTtyVZDtCWD8/EHIoXkqs=,tag:AJAkFd8EM+zEzd8YgRZlng==,type:str] + #ENC[AES256_GCM,data:xz+TDvCisDuBzo7xIsJXUanl1yELabUonk8dRUg1hoaU3EYIJQ==,iv:cWfTjhwfaUNLralnQRe1lmx8lcyxofXPrZU/LZEcQfc=,tag:jUukbPltv6NUOQKRCSoORw==,type:comment] + repmgrPassword: ENC[AES256_GCM,data:FC5NW9Jnm1CX,iv:/c1g/luv39LCBDI6Ayhw7O5SzOqgR5RFLtAouuHFWvQ=,tag:wP7xx0ga8i3lzVyVm2iiOQ==,type:str] + #ENC[AES256_GCM,data:3w4zrmvevybTsZzr5wgwF3h1UMJuizBQ0+wjyq++X899LCp0ild6YOcPR2KiOvn5zNitG7RW8LpwyWkw+hzK,iv:HnJl+UhEu/M9HeLy2ws/437lMC1ZjTlbEgMnEpG0FY4=,tag:Nxxj4q7eOh0+zmVLhXArcQ==,type:comment] + pgpoolPassword: ENC[AES256_GCM,data:MF8mAi9UpHwh,iv:TYvqtUtqFH+JcoHWfUk3SIrh/MsmEitRoGn4FWXyjNE=,tag:bJeGbXI7V8Vcn6EoEfzzHQ==,type:str] + pgpool: + #ENC[AES256_GCM,data:mwdpjpgs38LDNg0BQukw5t61RN5EHbvbGgDquuMezXCviYMViA==,iv:9QLGDdAAcUOMJAp40cOBC3qN3aBeuXvcj76UWbnazq8=,tag:kRW1CVpoaK7sXOHU4uHpcw==,type:comment] + adminPassword: ENC[AES256_GCM,data:9aheOLxvanH9,iv:q7CEnryzyh5zVJHqJ2veAVr9lRVNFPwM6ownxmI12Wg=,tag:EFOOxW7LPLCRJxuhwreo1A==,type:str] + #ENC[AES256_GCM,data:FAZHI4BENIuUyILlBh4m/vluaursEkO/yWuKp5mPpYnxYy3vI0Ichehu1o8405ENp1UjyN1bEA==,iv:CBjvgAF4RIEb0wpD+NV1oXAZCZof6X94S0Ny7JrKy5Q=,tag:ytSlhX8knkwKouX5wSO31A==,type:comment] + srCheckPassword: ENC[AES256_GCM,data:S5tluU9DfVKV,iv:5pdvQcnebpoBaQq422PTeIdvQKc0AJ3M+PyapnSe0hM=,tag:/sHw4GoqPOiOAnDVqnizqQ==,type:str] +sops: + age: + - recipient: age1aq8twfd78wvpra0had8cezcnj96tj4q0068edrz5jez8d6xwmflqdepsh4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3eCtCczBraGlibTRpVTI5 + WGNVV0N3c2NZZ2dmL1lQTXBHcGtJODlTR2tFCnFmOTBCaDhOYW4raFg1WkJhYUxN + Q1Y0cnNkYUp6T0ZNUVNUY1RLNkZicEkKLS0tIGZDRkg0TmdkTGNvd1RQTWVacXRs + R0RHWml2LzRHcmpDUGRnY1Bwa3BOeWMKN52lakQFLMBflYC/KOTXLECJb6qlTVNG + xFlPrgVhMaF2dwTje/5QsSAOuvwQ4HJ7ot3KsUkQAhheqYeiOAxdPg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-10T13:36:49Z" + mac: ENC[AES256_GCM,data:3D5CtE5lcEc20pH2iyLF3UaPRqlp3BFF1xbSjVtv6R/YYnnemjBcDKT8kbMWb5mGCGOYlJ7AE+ewmix3KdY1FZnNENRSXkTSMqlu8luRzXNq+QuXSA7ofAtC24VMiHGnCSgY+rxSbbKLC1dcdF4KblcAmKp5tv0/8XyzSWkswAI=,iv:xQ/OotVy329F150A8HEeUgf0l8iZB3LJm9/zm/b+SJg=,tag:pxotV1XcTJfgd3HGdS/eKQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2