Canonicalize registry docs and read-only ops

2026-06-05 12:07:27 +02:00
parent 114ae9a26e
commit 32c44cc78e
11 changed files with 449 additions and 32 deletions
--- a/docs/gitea-container-registry.md
+++ b/docs/gitea-container-registry.md
@@ -0,0 +1,84 @@
+# Gitea Container Registry
+
+This is the canonical Railiance operating note for the current Gitea container
+registry. Compatibility pointers remain in `railiance-apps` while deploy-capable
+Gitea Helm and manifest files still live there.
+
+## Registry Target
+
+Use `gitea.coulomb.social` as the approved registry host. The `/v2` ingress is
+live as of 2026-05-15 and returns the OCI registry authentication challenge over
+HTTPS.
+
+Registry-specific Gitea settings are currently carried in
+`/home/worsch/railiance-apps/helm/gitea-registry-values.yaml`, a non-secret
+overlay applied after the SOPS values file by `make gitea-deploy`. It explicitly
+enables packages, permits container and PyPI uploads without an app-level size
+cap, clears globally disabled repo units, and moves `ROOT_URL` to the HTTPS
+host.
+
+Image names should use the Gitea owner and package path:
+
+```bash
+gitea.coulomb.social/coulomb/state-hub:<tag>
+```
+
+The State Hub handoff from `CUST-WP-0011` should publish the locally verified
+`state-hub:local` image under that name.
+
+The successful smoke-test tags were:
+
+```bash
+gitea.coulomb.social/coulomb/state-hub:6186a99
+gitea.coulomb.social/coulomb/state-hub:latest
+```
+
+Digest:
+
+```text
+sha256:039d29654ccb3754c6ecdbe497c6364bbd8452edcdcb7fa937dd9debf5b734ff
+```
+
+## Operator Smoke Test
+
+Use a Gitea personal access token with package read/write permission:
+
+```bash
+docker login gitea.coulomb.social
+docker tag state-hub:local gitea.coulomb.social/coulomb/state-hub:<tag>
+docker push gitea.coulomb.social/coulomb/state-hub:<tag>
+docker pull gitea.coulomb.social/coulomb/state-hub:<tag>
+```
+
+The `coulomb` organization packages are public by default, so the verified
+cluster pull for `state-hub:6186a99` did not require an `imagePullSecret`.
+
+For private packages, create an image pull secret in each consuming namespace:
+
+```bash
+kubectl create secret docker-registry gitea-registry \
+  --docker-server=gitea.coulomb.social \
+  --docker-username=<gitea-user> \
+  --docker-password=<package-token> \
+  --namespace=<namespace>
+```
+
+Reference it from workloads as `imagePullSecrets: [{name: gitea-registry}]`.
+
+## Python Packages
+
+The same Gitea package service is used for Python wheels. See
+`docs/gitea-package-registry.md` for the publish/install recipe and the
+`issue-core` migration notes from `RAILIANCE-WP-0004 I03`.
+
+## Current Storage Notes
+
+The live Gitea pod mounts `gitea-shared-storage` at `/data`; package blobs land
+under `/data/packages`. On 2026-05-19 that package directory was about
+798.5 MiB.
+
+The PVC is `default/gitea-shared-storage`, 10 GiB, `local-path`, `RWO`. The live
+cluster showed no Kubernetes `CronJob` backup resources across namespaces on
+2026-05-19. This is acceptable for the current smoke-test images, but heavy tag
+growth should wait for the forge/platform backup and retention follow-up in
+`docs/initial-operating-contracts.md`.