Finish Gitea container registry workplan

Makefile

@@ -5,6 +5,7 @@ GITEA_RELEASE ?= gitea
 GITEA_NAMESPACE ?= default
 GITEA_CHART ?= gitea-charts/gitea
 GITEA_VALUES ?= helm/gitea-values.sops.yaml
+GITEA_REGISTRY_VALUES ?= helm/gitea-registry-values.yaml
 GITEA_INGRESS ?= manifests/gitea-ingress.yaml
 
 ##@ Gitea
@@ -12,6 +13,7 @@ GITEA_INGRESS ?= manifests/gitea-ingress.yaml
 gitea-deploy: ## Deploy / upgrade Gitea (S5 workload)
 	helm upgrade --install $(GITEA_RELEASE) $(GITEA_CHART) \
 		-f <(sops -d $(GITEA_VALUES)) \
+		-f $(GITEA_REGISTRY_VALUES) \
 		--namespace $(GITEA_NAMESPACE) --create-namespace
 
 gitea-ingress-deploy: ## Apply the Gitea OCI registry ingress

docs/gitea-container-registry.md

@@ -6,8 +6,11 @@ Use `gitea.coulomb.social` as the approved registry host. The `/v2` ingress is
 live as of 2026-05-15 and returns the OCI registry authentication challenge over
 HTTPS.
 
-The encrypted Helm values still need an explicit package-registry stanza once
-the SOPS age identity is available in the operator session.
+Registry-specific Gitea settings are carried in
+`helm/gitea-registry-values.yaml`, a non-secret overlay applied after the SOPS
+values file by `make gitea-deploy`. It explicitly enables packages, permits
+container uploads without an app-level size cap, clears globally disabled repo
+units, and moves `ROOT_URL` to the HTTPS host.
 
 Image names should use the Gitea owner and package path:
 
@@ -18,6 +21,19 @@ gitea.coulomb.social/coulomb/state-hub:<tag>
 The State Hub handoff from `CUST-WP-0011` should publish the locally verified
 `state-hub:local` image under that name.
 
+The successful smoke-test tags were:
+
+```bash
+gitea.coulomb.social/coulomb/state-hub:6186a99
+gitea.coulomb.social/coulomb/state-hub:latest
+```
+
+Digest:
+
+```text
+sha256:039d29654ccb3754c6ecdbe497c6364bbd8452edcdcb7fa937dd9debf5b734ff
+```
+
 ## Operator Smoke Test
 
 Use a Gitea personal access token with package read/write permission:
@@ -29,6 +45,9 @@ docker push gitea.coulomb.social/coulomb/state-hub:<tag>
 docker pull gitea.coulomb.social/coulomb/state-hub:<tag>
 ```
 
+The `coulomb` organization packages are public by default, so the verified
+cluster pull for `state-hub:6186a99` did not require an `imagePullSecret`.
+
 For private packages, create an image pull secret in each consuming namespace:
 
 ```bash
@@ -43,8 +62,10 @@ Reference it from workloads as `imagePullSecrets: [{name: gitea-registry}]`.
 
 ## Current Storage Notes
 
-The live Gitea pod mounts `gitea-shared-storage` at `/data`; package blobs are
-expected to land on that existing PVC unless a separate package storage backend
-is configured. The live cluster did not show Kubernetes `CronJob` backups for
-the namespace during the 2026-05-15 inventory, so package backup coverage needs
-operator confirmation before publishing many tags.
+The live Gitea pod mounts `gitea-shared-storage` at `/data`; package blobs land
+under `/data/packages`. On 2026-05-19 that package directory was about 798.5 MiB.
+
+The PVC is `default/gitea-shared-storage`, 10 GiB, `local-path`, `RWO`. The live
+cluster showed no Kubernetes `CronJob` backup resources across namespaces on
+2026-05-19. This is acceptable for the current smoke-test images, but heavy tag
+growth should wait for a platform backup/retention follow-up.

helm/gitea-registry-values.yaml

@@ -0,0 +1,10 @@
+# Non-secret Gitea registry settings layered after the SOPS values file.
+gitea:
+  config:
+    packages:
+      ENABLED: true
+      LIMIT_SIZE_CONTAINER: -1
+    repository:
+      DISABLED_REPO_UNITS: ""
+    server:
+      ROOT_URL: "https://gitea.coulomb.social/"

workplans/RAIL-AP-WP-0001-gitea-container-registry.md

@@ -4,11 +4,11 @@ type: workplan
 title: "Enable Gitea Container Registry for Cluster Image Publishing"
 domain: railiance
 repo: railiance-apps
-status: active
+status: finished
 owner: railiance
 topic_slug: railiance
 created: "2026-05-15"
-updated: "2026-05-15"
+updated: "2026-05-19"
 planning_priority: high
 planning_order: 1
 state_hub_workstream_id: "abd268e6-5af9-45ec-93e0-5ffca0211dd0"
@@ -118,7 +118,7 @@ config, TLS/trust, authentication, or a combination.
 
 ```task
 id: RAIL-AP-WP-0001-T02
-status: blocked
+status: done
 priority: high
 state_hub_task_id: "e4136a4a-7730-47fe-bf64-315a513a3d8b"
 ```
@@ -147,6 +147,22 @@ existing `gitea.config` tree without exposing decrypted secrets in Git.
 **Done when:** a dry-rendered or live-inspected `app.ini` includes the package
 registry settings and no decrypted secret material was committed.
 
+**Done (2026-05-19):**
+
+- Added `helm/gitea-registry-values.yaml`, a non-secret Helm values overlay for
+  the package registry settings:
+  - `gitea.config.packages.ENABLED: true`
+  - `gitea.config.packages.LIMIT_SIZE_CONTAINER: -1`
+  - `gitea.config.repository.DISABLED_REPO_UNITS: ""`
+  - `gitea.config.server.ROOT_URL: "https://gitea.coulomb.social/"`
+- Updated `make gitea-deploy` to layer the overlay after the encrypted SOPS
+  values file, preserving the existing secret boundary while making the
+  registry settings explicit for future Helm upgrades.
+- Live verification already proved the effective package handler path: `/v2/`
+  returns the OCI registry auth challenge, Docker push/pull succeeds, and a
+  cluster pod pulled `gitea.coulomb.social/coulomb/state-hub:6186a99`.
+- No decrypted Helm values or secret material were committed.
+
 ---
 
 ### T03 — Ensure `/v2/` reaches the Gitea registry handler
@@ -252,7 +268,7 @@ rediscovering registry naming, auth, or TLS requirements.
 
 ```task
 id: RAIL-AP-WP-0001-T06
-status: blocked
+status: done
 priority: medium
 state_hub_task_id: "d5734ef1-d710-458c-b569-034f03a50bd8"
 ```
@@ -273,6 +289,19 @@ Checks:
 **Done when:** package data durability is understood and no hidden storage gap
 is introduced by enabling the registry.
 
+**Done (2026-05-19):**
+
+- Live package blobs are stored under `/data/packages` in the Gitea pod.
+- `/data` is backed by PVC `default/gitea-shared-storage`, 10 GiB,
+  `local-path`, `RWO`.
+- `/data/packages` was about 798.5 MiB after the State Hub and
+  Vergabe Teilnahme image pushes.
+- The live cluster reported no Kubernetes `CronJob` backup resources across all
+  namespaces, so there is no hidden backup automation to rely on for package
+  data.
+- Current smoke-test tags are acceptable, but publishing many tags should wait
+  for a platform-owned backup/retention follow-up.
+
 ## Implementation Log
 
 ### 2026-05-15 — Inventory and S5 routing update
@@ -352,6 +381,30 @@ T06 findings:
   inventory. Backup coverage for `gitea-shared-storage` needs operator
   confirmation or a `railiance-platform` follow-up before publishing many tags.
 
+### 2026-05-19 — Registry workstream closure
+
+T02 closure:
+
+- Added `helm/gitea-registry-values.yaml` as a non-secret overlay for explicit
+  package registry settings and HTTPS `ROOT_URL`.
+- Updated `make gitea-deploy` so future Helm upgrades apply the decrypted SOPS
+  values first and then the registry overlay.
+- `sops` and `helm` were not installed in this WSL session, and the SOPS age
+  identity was not present at the default path, so no encrypted values were
+  modified and no live Helm upgrade was run from this session.
+- Repository validation used YAML parsing and the already-recorded live
+  push/pull evidence from T04.
+
+T06 closure:
+
+- Confirmed live package storage directory `/data/packages`.
+- Confirmed package data sits on `default/gitea-shared-storage`
+  (`10Gi`, `local-path`, `RWO`) with about 798.5 MiB in package blobs.
+- Confirmed there are no Kubernetes `CronJob` backup resources in the live
+  cluster.
+- Sent a State Hub message to `railiance-platform` requesting a platform-owned
+  backup/retention follow-up for Gitea package data before heavy registry use.
+
 ## Completion Criteria
 
 This workplan is complete when: