51 lines
1.6 KiB
Markdown
51 lines
1.6 KiB
Markdown
# Gitea Container Registry
|
|
|
|
## Registry Target
|
|
|
|
Use `gitea.coulomb.social` as the approved registry host. The `/v2` ingress is
|
|
live as of 2026-05-15 and returns the OCI registry authentication challenge over
|
|
HTTPS.
|
|
|
|
The encrypted Helm values still need an explicit package-registry stanza once
|
|
the SOPS age identity is available in the operator session.
|
|
|
|
Image names should use the Gitea owner and package path:
|
|
|
|
```bash
|
|
gitea.coulomb.social/coulomb/state-hub:<tag>
|
|
```
|
|
|
|
The State Hub handoff from `CUST-WP-0011` should publish the locally verified
|
|
`state-hub:local` image under that name.
|
|
|
|
## Operator Smoke Test
|
|
|
|
Use a Gitea personal access token with package read/write permission:
|
|
|
|
```bash
|
|
docker login gitea.coulomb.social
|
|
docker tag state-hub:local gitea.coulomb.social/coulomb/state-hub:<tag>
|
|
docker push gitea.coulomb.social/coulomb/state-hub:<tag>
|
|
docker pull gitea.coulomb.social/coulomb/state-hub:<tag>
|
|
```
|
|
|
|
For private packages, create an image pull secret in each consuming namespace:
|
|
|
|
```bash
|
|
kubectl create secret docker-registry gitea-registry \
|
|
--docker-server=gitea.coulomb.social \
|
|
--docker-username=<gitea-user> \
|
|
--docker-password=<package-token> \
|
|
--namespace=<namespace>
|
|
```
|
|
|
|
Reference it from workloads as `imagePullSecrets: [{name: gitea-registry}]`.
|
|
|
|
## Current Storage Notes
|
|
|
|
The live Gitea pod mounts `gitea-shared-storage` at `/data`; package blobs are
|
|
expected to land on that existing PVC unless a separate package storage backend
|
|
is configured. The live cluster did not show Kubernetes `CronJob` backups for
|
|
the namespace during the 2026-05-15 inventory, so package backup coverage needs
|
|
operator confirmation before publishing many tags.
|