# Gitea Container Registry

## Registry Target

Use `gitea.coulomb.social` as the approved registry host. The `/v2` ingress is
live as of 2026-05-15 and returns the OCI registry authentication challenge over
HTTPS.

The encrypted Helm values still need an explicit package-registry stanza once
the SOPS age identity is available in the operator session.

Image names should use the Gitea owner and package path:

```bash
gitea.coulomb.social/coulomb/state-hub:<tag>
```

The State Hub handoff from `CUST-WP-0011` should publish the locally verified
`state-hub:local` image under that name.

## Operator Smoke Test

Use a Gitea personal access token with package read/write permission:

```bash
docker login gitea.coulomb.social
docker tag state-hub:local gitea.coulomb.social/coulomb/state-hub:<tag>
docker push gitea.coulomb.social/coulomb/state-hub:<tag>
docker pull gitea.coulomb.social/coulomb/state-hub:<tag>
```

For private packages, create an image pull secret in each consuming namespace:

```bash
kubectl create secret docker-registry gitea-registry \
  --docker-server=gitea.coulomb.social \
  --docker-username=<gitea-user> \
  --docker-password=<package-token> \
  --namespace=<namespace>
```

Reference it from workloads as `imagePullSecrets: [{name: gitea-registry}]`.

## Current Storage Notes

The live Gitea pod mounts `gitea-shared-storage` at `/data`; package blobs are
expected to land on that existing PVC unless a separate package storage backend
is configured. The live cluster did not show Kubernetes `CronJob` backups for
the namespace during the 2026-05-15 inventory, so package backup coverage needs
operator confirmation before publishing many tags.