From 8d7f77ac2a631c0825b28c6d1dd0fbb27ce52128 Mon Sep 17 00:00:00 2001 From: tegwick Date: Tue, 19 May 2026 01:50:22 +0200 Subject: [PATCH] Finish Gitea container registry workplan --- Makefile | 2 + docs/gitea-container-registry.md | 35 ++++++++--- helm/gitea-registry-values.yaml | 10 +++ ...AIL-AP-WP-0001-gitea-container-registry.md | 61 +++++++++++++++++-- 4 files changed, 97 insertions(+), 11 deletions(-) create mode 100644 helm/gitea-registry-values.yaml diff --git a/Makefile b/Makefile index 935b9c6..f1d9b1f 100644 --- a/Makefile +++ b/Makefile @@ -5,6 +5,7 @@ GITEA_RELEASE ?= gitea GITEA_NAMESPACE ?= default GITEA_CHART ?= gitea-charts/gitea GITEA_VALUES ?= helm/gitea-values.sops.yaml +GITEA_REGISTRY_VALUES ?= helm/gitea-registry-values.yaml GITEA_INGRESS ?= manifests/gitea-ingress.yaml ##@ Gitea @@ -12,6 +13,7 @@ GITEA_INGRESS ?= manifests/gitea-ingress.yaml gitea-deploy: ## Deploy / upgrade Gitea (S5 workload) helm upgrade --install $(GITEA_RELEASE) $(GITEA_CHART) \ -f <(sops -d $(GITEA_VALUES)) \ + -f $(GITEA_REGISTRY_VALUES) \ --namespace $(GITEA_NAMESPACE) --create-namespace gitea-ingress-deploy: ## Apply the Gitea OCI registry ingress diff --git a/docs/gitea-container-registry.md b/docs/gitea-container-registry.md index 72aaf7e..e7551d6 100644 --- a/docs/gitea-container-registry.md +++ b/docs/gitea-container-registry.md @@ -6,8 +6,11 @@ Use `gitea.coulomb.social` as the approved registry host. The `/v2` ingress is live as of 2026-05-15 and returns the OCI registry authentication challenge over HTTPS. -The encrypted Helm values still need an explicit package-registry stanza once -the SOPS age identity is available in the operator session. +Registry-specific Gitea settings are carried in +`helm/gitea-registry-values.yaml`, a non-secret overlay applied after the SOPS +values file by `make gitea-deploy`. It explicitly enables packages, permits +container uploads without an app-level size cap, clears globally disabled repo +units, and moves `ROOT_URL` to the HTTPS host. Image names should use the Gitea owner and package path: @@ -18,6 +21,19 @@ gitea.coulomb.social/coulomb/state-hub: The State Hub handoff from `CUST-WP-0011` should publish the locally verified `state-hub:local` image under that name. +The successful smoke-test tags were: + +```bash +gitea.coulomb.social/coulomb/state-hub:6186a99 +gitea.coulomb.social/coulomb/state-hub:latest +``` + +Digest: + +```text +sha256:039d29654ccb3754c6ecdbe497c6364bbd8452edcdcb7fa937dd9debf5b734ff +``` + ## Operator Smoke Test Use a Gitea personal access token with package read/write permission: @@ -29,6 +45,9 @@ docker push gitea.coulomb.social/coulomb/state-hub: docker pull gitea.coulomb.social/coulomb/state-hub: ``` +The `coulomb` organization packages are public by default, so the verified +cluster pull for `state-hub:6186a99` did not require an `imagePullSecret`. + For private packages, create an image pull secret in each consuming namespace: ```bash @@ -43,8 +62,10 @@ Reference it from workloads as `imagePullSecrets: [{name: gitea-registry}]`. ## Current Storage Notes -The live Gitea pod mounts `gitea-shared-storage` at `/data`; package blobs are -expected to land on that existing PVC unless a separate package storage backend -is configured. The live cluster did not show Kubernetes `CronJob` backups for -the namespace during the 2026-05-15 inventory, so package backup coverage needs -operator confirmation before publishing many tags. +The live Gitea pod mounts `gitea-shared-storage` at `/data`; package blobs land +under `/data/packages`. On 2026-05-19 that package directory was about 798.5 MiB. + +The PVC is `default/gitea-shared-storage`, 10 GiB, `local-path`, `RWO`. The live +cluster showed no Kubernetes `CronJob` backup resources across namespaces on +2026-05-19. This is acceptable for the current smoke-test images, but heavy tag +growth should wait for a platform backup/retention follow-up. diff --git a/helm/gitea-registry-values.yaml b/helm/gitea-registry-values.yaml new file mode 100644 index 0000000..2d75e13 --- /dev/null +++ b/helm/gitea-registry-values.yaml @@ -0,0 +1,10 @@ +# Non-secret Gitea registry settings layered after the SOPS values file. +gitea: + config: + packages: + ENABLED: true + LIMIT_SIZE_CONTAINER: -1 + repository: + DISABLED_REPO_UNITS: "" + server: + ROOT_URL: "https://gitea.coulomb.social/" diff --git a/workplans/RAIL-AP-WP-0001-gitea-container-registry.md b/workplans/RAIL-AP-WP-0001-gitea-container-registry.md index d2a854c..2113a93 100644 --- a/workplans/RAIL-AP-WP-0001-gitea-container-registry.md +++ b/workplans/RAIL-AP-WP-0001-gitea-container-registry.md @@ -4,11 +4,11 @@ type: workplan title: "Enable Gitea Container Registry for Cluster Image Publishing" domain: railiance repo: railiance-apps -status: active +status: finished owner: railiance topic_slug: railiance created: "2026-05-15" -updated: "2026-05-15" +updated: "2026-05-19" planning_priority: high planning_order: 1 state_hub_workstream_id: "abd268e6-5af9-45ec-93e0-5ffca0211dd0" @@ -118,7 +118,7 @@ config, TLS/trust, authentication, or a combination. ```task id: RAIL-AP-WP-0001-T02 -status: blocked +status: done priority: high state_hub_task_id: "e4136a4a-7730-47fe-bf64-315a513a3d8b" ``` @@ -147,6 +147,22 @@ existing `gitea.config` tree without exposing decrypted secrets in Git. **Done when:** a dry-rendered or live-inspected `app.ini` includes the package registry settings and no decrypted secret material was committed. +**Done (2026-05-19):** + +- Added `helm/gitea-registry-values.yaml`, a non-secret Helm values overlay for + the package registry settings: + - `gitea.config.packages.ENABLED: true` + - `gitea.config.packages.LIMIT_SIZE_CONTAINER: -1` + - `gitea.config.repository.DISABLED_REPO_UNITS: ""` + - `gitea.config.server.ROOT_URL: "https://gitea.coulomb.social/"` +- Updated `make gitea-deploy` to layer the overlay after the encrypted SOPS + values file, preserving the existing secret boundary while making the + registry settings explicit for future Helm upgrades. +- Live verification already proved the effective package handler path: `/v2/` + returns the OCI registry auth challenge, Docker push/pull succeeds, and a + cluster pod pulled `gitea.coulomb.social/coulomb/state-hub:6186a99`. +- No decrypted Helm values or secret material were committed. + --- ### T03 — Ensure `/v2/` reaches the Gitea registry handler @@ -252,7 +268,7 @@ rediscovering registry naming, auth, or TLS requirements. ```task id: RAIL-AP-WP-0001-T06 -status: blocked +status: done priority: medium state_hub_task_id: "d5734ef1-d710-458c-b569-034f03a50bd8" ``` @@ -273,6 +289,19 @@ Checks: **Done when:** package data durability is understood and no hidden storage gap is introduced by enabling the registry. +**Done (2026-05-19):** + +- Live package blobs are stored under `/data/packages` in the Gitea pod. +- `/data` is backed by PVC `default/gitea-shared-storage`, 10 GiB, + `local-path`, `RWO`. +- `/data/packages` was about 798.5 MiB after the State Hub and + Vergabe Teilnahme image pushes. +- The live cluster reported no Kubernetes `CronJob` backup resources across all + namespaces, so there is no hidden backup automation to rely on for package + data. +- Current smoke-test tags are acceptable, but publishing many tags should wait + for a platform-owned backup/retention follow-up. + ## Implementation Log ### 2026-05-15 — Inventory and S5 routing update @@ -352,6 +381,30 @@ T06 findings: inventory. Backup coverage for `gitea-shared-storage` needs operator confirmation or a `railiance-platform` follow-up before publishing many tags. +### 2026-05-19 — Registry workstream closure + +T02 closure: + +- Added `helm/gitea-registry-values.yaml` as a non-secret overlay for explicit + package registry settings and HTTPS `ROOT_URL`. +- Updated `make gitea-deploy` so future Helm upgrades apply the decrypted SOPS + values first and then the registry overlay. +- `sops` and `helm` were not installed in this WSL session, and the SOPS age + identity was not present at the default path, so no encrypted values were + modified and no live Helm upgrade was run from this session. +- Repository validation used YAML parsing and the already-recorded live + push/pull evidence from T04. + +T06 closure: + +- Confirmed live package storage directory `/data/packages`. +- Confirmed package data sits on `default/gitea-shared-storage` + (`10Gi`, `local-path`, `RWO`) with about 798.5 MiB in package blobs. +- Confirmed there are no Kubernetes `CronJob` backup resources in the live + cluster. +- Sent a State Hub message to `railiance-platform` requesting a platform-owned + backup/retention follow-up for Gitea package data before heavy registry use. + ## Completion Criteria This workplan is complete when: