Finish Gitea container registry workplan

This commit is contained in:
2026-05-19 01:50:22 +02:00
parent 84271973ae
commit 8d7f77ac2a
4 changed files with 97 additions and 11 deletions

View File

@@ -4,11 +4,11 @@ type: workplan
title: "Enable Gitea Container Registry for Cluster Image Publishing"
domain: railiance
repo: railiance-apps
status: active
status: finished
owner: railiance
topic_slug: railiance
created: "2026-05-15"
updated: "2026-05-15"
updated: "2026-05-19"
planning_priority: high
planning_order: 1
state_hub_workstream_id: "abd268e6-5af9-45ec-93e0-5ffca0211dd0"
@@ -118,7 +118,7 @@ config, TLS/trust, authentication, or a combination.
```task
id: RAIL-AP-WP-0001-T02
status: blocked
status: done
priority: high
state_hub_task_id: "e4136a4a-7730-47fe-bf64-315a513a3d8b"
```
@@ -147,6 +147,22 @@ existing `gitea.config` tree without exposing decrypted secrets in Git.
**Done when:** a dry-rendered or live-inspected `app.ini` includes the package
registry settings and no decrypted secret material was committed.
**Done (2026-05-19):**
- Added `helm/gitea-registry-values.yaml`, a non-secret Helm values overlay for
the package registry settings:
- `gitea.config.packages.ENABLED: true`
- `gitea.config.packages.LIMIT_SIZE_CONTAINER: -1`
- `gitea.config.repository.DISABLED_REPO_UNITS: ""`
- `gitea.config.server.ROOT_URL: "https://gitea.coulomb.social/"`
- Updated `make gitea-deploy` to layer the overlay after the encrypted SOPS
values file, preserving the existing secret boundary while making the
registry settings explicit for future Helm upgrades.
- Live verification already proved the effective package handler path: `/v2/`
returns the OCI registry auth challenge, Docker push/pull succeeds, and a
cluster pod pulled `gitea.coulomb.social/coulomb/state-hub:6186a99`.
- No decrypted Helm values or secret material were committed.
---
### T03 — Ensure `/v2/` reaches the Gitea registry handler
@@ -252,7 +268,7 @@ rediscovering registry naming, auth, or TLS requirements.
```task
id: RAIL-AP-WP-0001-T06
status: blocked
status: done
priority: medium
state_hub_task_id: "d5734ef1-d710-458c-b569-034f03a50bd8"
```
@@ -273,6 +289,19 @@ Checks:
**Done when:** package data durability is understood and no hidden storage gap
is introduced by enabling the registry.
**Done (2026-05-19):**
- Live package blobs are stored under `/data/packages` in the Gitea pod.
- `/data` is backed by PVC `default/gitea-shared-storage`, 10 GiB,
`local-path`, `RWO`.
- `/data/packages` was about 798.5 MiB after the State Hub and
Vergabe Teilnahme image pushes.
- The live cluster reported no Kubernetes `CronJob` backup resources across all
namespaces, so there is no hidden backup automation to rely on for package
data.
- Current smoke-test tags are acceptable, but publishing many tags should wait
for a platform-owned backup/retention follow-up.
## Implementation Log
### 2026-05-15 — Inventory and S5 routing update
@@ -352,6 +381,30 @@ T06 findings:
inventory. Backup coverage for `gitea-shared-storage` needs operator
confirmation or a `railiance-platform` follow-up before publishing many tags.
### 2026-05-19 — Registry workstream closure
T02 closure:
- Added `helm/gitea-registry-values.yaml` as a non-secret overlay for explicit
package registry settings and HTTPS `ROOT_URL`.
- Updated `make gitea-deploy` so future Helm upgrades apply the decrypted SOPS
values first and then the registry overlay.
- `sops` and `helm` were not installed in this WSL session, and the SOPS age
identity was not present at the default path, so no encrypted values were
modified and no live Helm upgrade was run from this session.
- Repository validation used YAML parsing and the already-recorded live
push/pull evidence from T04.
T06 closure:
- Confirmed live package storage directory `/data/packages`.
- Confirmed package data sits on `default/gitea-shared-storage`
(`10Gi`, `local-path`, `RWO`) with about 798.5 MiB in package blobs.
- Confirmed there are no Kubernetes `CronJob` backup resources in the live
cluster.
- Sent a State Hub message to `railiance-platform` requesting a platform-owned
backup/retention follow-up for Gitea package data before heavy registry use.
## Completion Criteria
This workplan is complete when: