Remove public Gitea NodePort side door
All checks were successful
Forge Runner Smoke / compatibility-smoke (push) Successful in 0s

This commit is contained in:
2026-06-14 02:26:59 +02:00
parent a1b55776fa
commit 9c4b400cb6
9 changed files with 124 additions and 9 deletions

View File

@@ -10,6 +10,8 @@ Use `gitea.coulomb.social` as the approved forge and registry host. The public
ingress serves the Gitea web route at `https://gitea.coulomb.social/`, the OCI
registry route at `/v2`, and the Python package route at `/api/packages`. The
`/v2` route returns the OCI registry authentication challenge over HTTPS.
Do not use raw node IP HTTP ports for web or registry traffic; the Gitea HTTP
Service is internal-only and the public standard is the HTTPS host.
Registry-specific Gitea settings are carried in
`helm/gitea-registry-values.yaml`, a non-secret overlay applied after the SOPS