coulomb/railiance-apps
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Finish Gitea container registry workplan

Browse Source
This commit is contained in:
Bernd Worsch
2026-05-19 01:50:22 +02:00
parent 84271973ae
commit 8d7f77ac2a
4 changed files with 97 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
docs/gitea-container-registry.md
View File

@@ -6,8 +6,11 @@ Use `gitea.coulomb.social` as the approved registry host. The `/v2` ingress is
live as of 2026-05-15 and returns the OCI registry authentication challenge over
HTTPS.
The encrypted Helm values still need an explicit package-registry stanza once
the SOPS age identity is available in the operator session.
Registry-specific Gitea settings are carried in
`helm/gitea-registry-values.yaml`, a non-secret overlay applied after the SOPS
values file by `make gitea-deploy`. It explicitly enables packages, permits
container uploads without an app-level size cap, clears globally disabled repo
units, and moves `ROOT_URL` to the HTTPS host.
Image names should use the Gitea owner and package path:
@@ -18,6 +21,19 @@ gitea.coulomb.social/coulomb/state-hub:<tag>
The State Hub handoff from `CUST-WP-0011` should publish the locally verified
`state-hub:local` image under that name.
The successful smoke-test tags were:
```bash
gitea.coulomb.social/coulomb/state-hub:6186a99
gitea.coulomb.social/coulomb/state-hub:latest
```
Digest:
```text
sha256:039d29654ccb3754c6ecdbe497c6364bbd8452edcdcb7fa937dd9debf5b734ff
```
## Operator Smoke Test
Use a Gitea personal access token with package read/write permission:
@@ -29,6 +45,9 @@ docker push gitea.coulomb.social/coulomb/state-hub:<tag>
docker pull gitea.coulomb.social/coulomb/state-hub:<tag>
```
The `coulomb` organization packages are public by default, so the verified
cluster pull for `state-hub:6186a99` did not require an `imagePullSecret`.
For private packages, create an image pull secret in each consuming namespace:
```bash
@@ -43,8 +62,10 @@ Reference it from workloads as `imagePullSecrets: [{name: gitea-registry}]`.
## Current Storage Notes
The live Gitea pod mounts `gitea-shared-storage` at `/data`; package blobs are
expected to land on that existing PVC unless a separate package storage backend
is configured. The live cluster did not show Kubernetes `CronJob` backups for
the namespace during the 2026-05-15 inventory, so package backup coverage needs
operator confirmation before publishing many tags.
The live Gitea pod mounts `gitea-shared-storage` at `/data`; package blobs land
under `/data/packages`. On 2026-05-19 that package directory was about 798.5 MiB.
The PVC is `default/gitea-shared-storage`, 10 GiB, `local-path`, `RWO`. The live
cluster showed no Kubernetes `CronJob` backup resources across namespaces on
2026-05-19. This is acceptable for the current smoke-test images, but heavy tag
growth should wait for a platform backup/retention follow-up.