1.6 KiB
Gitea Container Registry
Registry Target
Use gitea.coulomb.social as the approved registry host. The /v2 ingress is
live as of 2026-05-15 and returns the OCI registry authentication challenge over
HTTPS.
The encrypted Helm values still need an explicit package-registry stanza once the SOPS age identity is available in the operator session.
Image names should use the Gitea owner and package path:
gitea.coulomb.social/coulomb/state-hub:<tag>
The State Hub handoff from CUST-WP-0011 should publish the locally verified
state-hub:local image under that name.
Operator Smoke Test
Use a Gitea personal access token with package read/write permission:
docker login gitea.coulomb.social
docker tag state-hub:local gitea.coulomb.social/coulomb/state-hub:<tag>
docker push gitea.coulomb.social/coulomb/state-hub:<tag>
docker pull gitea.coulomb.social/coulomb/state-hub:<tag>
For private packages, create an image pull secret in each consuming namespace:
kubectl create secret docker-registry gitea-registry \
--docker-server=gitea.coulomb.social \
--docker-username=<gitea-user> \
--docker-password=<package-token> \
--namespace=<namespace>
Reference it from workloads as imagePullSecrets: [{name: gitea-registry}].
Current Storage Notes
The live Gitea pod mounts gitea-shared-storage at /data; package blobs are
expected to land on that existing PVC unless a separate package storage backend
is configured. The live cluster did not show Kubernetes CronJob backups for
the namespace during the 2026-05-15 inventory, so package backup coverage needs
operator confirmation before publishing many tags.