From 9ce24968cdf10086d6f1405fd6601d61579ee72c Mon Sep 17 00:00:00 2001 From: tegwick Date: Fri, 5 Jun 2026 13:19:10 +0200 Subject: [PATCH] Move Gitea deploy surface into forge --- Makefile | 19 +++++- README.md | 8 +-- SCOPE.md | 24 ++++---- docs/current-forge-asset-inventory.md | 43 +++++++------- docs/deploy-capable-gitea-move-review.md | 33 ++++++----- docs/first-migration-plan.md | 17 +++--- docs/gitea-container-registry.md | 15 +++-- docs/gitea-package-registry.md | 11 ++-- helm/gitea-registry-values.yaml | 11 ++++ helm/gitea-values.sops.yaml | 58 +++++++++++++++++++ manifests/gitea-ingress.yaml | 29 ++++++++++ releases/gitea/values.yaml | 20 +++++++ ...-WP-0002-registry-docs-and-readonly-ops.md | 9 ++- 13 files changed, 219 insertions(+), 78 deletions(-) create mode 100644 helm/gitea-registry-values.yaml create mode 100644 helm/gitea-values.sops.yaml create mode 100644 manifests/gitea-ingress.yaml create mode 100644 releases/gitea/values.yaml diff --git a/Makefile b/Makefile index d491c3c..93c1d79 100644 --- a/Makefile +++ b/Makefile @@ -3,9 +3,14 @@ SHELL := /usr/bin/env bash GITEA_RELEASE ?= gitea GITEA_NAMESPACE ?= default +GITEA_CHART ?= gitea-charts/gitea +GITEA_VALUES ?= helm/gitea-values.sops.yaml +GITEA_REGISTRY_VALUES ?= helm/gitea-registry-values.yaml +GITEA_INGRESS ?= manifests/gitea-ingress.yaml GITEA_DB_CLUSTER ?= gitea-db GITEA_DB_NAMESPACE ?= databases REGISTRY_DOCS ?= docs/gitea-container-registry.md docs/gitea-package-registry.md +SOPS_SENTINEL ?= $(GITEA_VALUES) ##@ Operator checks @@ -26,6 +31,9 @@ check-tools: ## Check local tools used by forge operator targets fi; \ exit $$missing +check-sops: ## Verify the configured SOPS sentinel can decrypt + sops -d $(SOPS_SENTINEL) >/dev/null + registry-docs: ## Print canonical registry docs @for doc in $(REGISTRY_DOCS); do \ printf '\n## %s\n\n' "$$doc"; \ @@ -34,6 +42,15 @@ registry-docs: ## Print canonical registry docs ##@ Current Gitea +gitea-deploy: ## Deploy / upgrade current Gitea forge runtime + helm upgrade --install $(GITEA_RELEASE) $(GITEA_CHART) \ + -f <(sops -d $(GITEA_VALUES)) \ + -f $(GITEA_REGISTRY_VALUES) \ + --namespace $(GITEA_NAMESPACE) --create-namespace + +gitea-ingress-deploy: ## Apply the Gitea OCI registry ingress + kubectl apply -f $(GITEA_INGRESS) + gitea-status: ## Read-only status for current Gitea runtime and database kubectl get pods -n $(GITEA_NAMESPACE) -l app.kubernetes.io/instance=$(GITEA_RELEASE) kubectl get svc -n $(GITEA_NAMESPACE) $(GITEA_RELEASE) --ignore-not-found @@ -53,4 +70,4 @@ help: ## Show this help /^[a-zA-Z0-9_-]+:.*?##/ { printf " \033[36m%-20s\033[0m %s\n", $$1, $$2 } \ /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) }' $(MAKEFILE_LIST) -.PHONY: check-tools registry-docs gitea-status help +.PHONY: check-tools check-sops registry-docs gitea-deploy gitea-ingress-deploy gitea-status help diff --git a/README.md b/README.md index 6368331..406a825 100644 --- a/README.md +++ b/README.md @@ -14,10 +14,9 @@ Start with: 4. `docs/` 5. `workplans/` -Current implementation status: early extraction. Canonical registry operation -docs and read-only status targets live here now. Deploy-capable Gitea Helm, -SOPS, and manifest files remain in `railiance-apps` until the explicit -migration review in `RAILIANCE-WP-0006-T03`. +Current implementation status: active forge extraction. Canonical registry +operation docs, deploy-capable Gitea files, and operator targets live here now. +No live Helm deploy or Kubernetes apply was run as part of the move. Useful entry points: @@ -25,4 +24,5 @@ Useful entry points: make registry-docs make check-tools make gitea-status +make gitea-deploy ``` diff --git a/SCOPE.md b/SCOPE.md index 89aba60..94acd96 100644 --- a/SCOPE.md +++ b/SCOPE.md @@ -30,8 +30,8 @@ The practical contract is: 4. `railiance-apps` consumes forge artifacts and deploys user-facing workloads. Canonical registry operation docs and read-only forge checks now live here. -Deploy-capable Gitea Helm/SOPS/manifests remain in `railiance-apps` until the -explicit migration gate for live-affecting files is reviewed. +Deploy-capable Gitea Helm/SOPS/manifests also live here now; `railiance-apps` +keeps only transitional compatibility wrappers for old operator entry points. --- @@ -105,20 +105,20 @@ explicit migration gate for live-affecting files is reviewed. ## Current State -- Status: early extraction. +- Status: active forge extraction. - Implementation: repository contract, registry docs, initial operating - contracts, and read-only operator targets are present. -- Stability: emerging but non-disruptive; no deploy-capable Gitea state has - moved yet. + contracts, deploy-capable Gitea files, and operator targets are present. +- Stability: emerging but non-disruptive; files moved without any Helm deploy, + SOPS decryption, or Kubernetes apply. - Usage: canonical reference point for forge and registry responsibilities currently transitioning out of `railiance-apps`. Known starting point: -- `railiance-apps` currently owns Gitea Helm values, registry overlays, ingress, - and deploy-capable Gitea Makefile targets. -- `railiance-forge` owns registry operation docs, operating contracts, and - read-only status entry points. +- `railiance-forge` owns Gitea Helm values, registry overlays, ingress, + operating contracts, and deploy/status entry points. +- `railiance-apps` keeps app release ownership and transitional compatibility + wrappers for old Gitea commands. - `railiance-enablement` owns the intent for delivery templates and developer paved paths, but not forge runtime operation. - `railiance-forge` should absorb forge runtime and artifact infrastructure @@ -154,8 +154,8 @@ Known starting point: ## Related / Overlapping -- `railiance-apps` - currently hosts Gitea deployment files and registry docs; - should become a consumer after extraction. +- `railiance-apps` - consumes forge artifacts in S5 app releases and keeps + transitional pointers/wrappers for old Gitea paths. - `railiance-enablement` - owns reusable CI/CD templates, SDKs, buildpacks, and developer portal paths. - `railiance-platform` - provides database, storage, backup, and runtime secret diff --git a/docs/current-forge-asset-inventory.md b/docs/current-forge-asset-inventory.md index edc566f..a7d04e8 100644 --- a/docs/current-forge-asset-inventory.md +++ b/docs/current-forge-asset-inventory.md @@ -2,18 +2,20 @@ Date: 2026-06-05 -This inventory covers forge-related assets currently visible in +This inventory covers forge-related assets that were originally visible in `/home/worsch/railiance-apps`. It supports `FORGE-WP-0001-T03` and the coordinating `RAILIANCE-WP-0006` extraction plan. -No files have been moved yet. This document assigns each candidate asset a -target disposition for the first migration plan. +Canonical docs and deploy-capable Gitea files have now moved into +`railiance-forge`. `railiance-apps` keeps compatibility pointers and wrappers +while app-release ownership remains there. ## Summary | Disposition | Meaning | |-------------|---------| | Move | Canonical file should move to `railiance-forge`. | +| Moved | Canonical file has moved to `railiance-forge`. | | Copy pointer | Copy canonical content to `railiance-forge`, leave a short pointer in `railiance-apps` temporarily. | | Leave | Keep in `railiance-apps`; it is S5 app-release surface. | | Adapt | Keep local behavior, but update references after forge extraction. | @@ -23,21 +25,21 @@ target disposition for the first migration plan. | Asset | Current role | Target disposition | Notes | |-------|--------------|--------------------|-------| -| `helm/gitea-values.sops.yaml` | SOPS-encrypted Gitea Helm values. | Move | Must preserve secret boundary; move without decrypting. | -| `helm/gitea-registry-values.yaml` | Non-secret overlay enabling Gitea package/container registry behavior. | Move | This is forge runtime config, not S5 app config. | -| `manifests/gitea-ingress.yaml` | Registry-facing Gitea ingress for `/v2`. | Move | Forge owns Gitea/registry exposure; cluster ingress primitives remain S2. | -| `releases/gitea/values.yaml` | Legacy/plain Gitea release values reference. | Move or supersede | Likely keep only as historical migration reference if still useful. | -| `Makefile` variables `GITEA_*` | Gitea release/chart/value/ingress defaults. | Move | Recreate in `railiance-forge/Makefile`; remove from S5 after compatibility window. | -| `make gitea-deploy` | Deploy/upgrade current Gitea release. | Move | Should become `railiance-forge` operator target. | -| `make gitea-ingress-deploy` | Apply Gitea registry ingress. | Move | Should become `railiance-forge` operator target. | -| `make gitea-status` | Check Gitea pod/service/ingress and `gitea-db` status. | Move | Keep database status as consumer evidence; S3 still owns DB implementation. | +| `helm/gitea-values.sops.yaml` | SOPS-encrypted Gitea Helm values. | Moved | Now `railiance-forge/helm/gitea-values.sops.yaml`; moved without decrypting. | +| `helm/gitea-registry-values.yaml` | Non-secret overlay enabling Gitea package/container registry behavior. | Moved | Now `railiance-forge/helm/gitea-registry-values.yaml`. | +| `manifests/gitea-ingress.yaml` | Registry-facing Gitea ingress for `/v2`. | Moved | Now `railiance-forge/manifests/gitea-ingress.yaml`; labels left unchanged until next reviewed deploy. | +| `releases/gitea/values.yaml` | Legacy/plain Gitea release values reference. | Moved | Now `railiance-forge/releases/gitea/values.yaml`; review before using as active deploy input. | +| `Makefile` variables `GITEA_*` | Gitea release/chart/value/ingress defaults. | Moved | Forge owns canonical variables; apps keeps only release/name compatibility variables. | +| `make gitea-deploy` | Deploy/upgrade current Gitea release. | Moved | Forge owns target; apps delegates during compatibility window. | +| `make gitea-ingress-deploy` | Apply Gitea registry ingress. | Moved | Forge owns target; apps delegates during compatibility window. | +| `make gitea-status` | Check Gitea pod/service/ingress and `gitea-db` status. | Moved | Forge owns target; apps delegates during compatibility window. | ## Copy With Compatibility Pointer | Asset | Current role | Target disposition | Notes | |-------|--------------|--------------------|-------| -| `docs/gitea-container-registry.md` | Canonical operator recipe for container registry host, auth, pull secrets, storage note. | Copy pointer | Copy to `railiance-forge/docs/`; leave S5 pointer for app consumers. | -| `docs/gitea-package-registry.md` | Python package registry publishing/install recipe and `issue-core` handoff. | Copy pointer | Forge owns endpoint/registry posture; app/source repos own package release details. | +| `docs/gitea-container-registry.md` | Canonical operator recipe for container registry host, auth, pull secrets, storage note. | Moved | Forge doc is canonical; app-side file is a compatibility pointer. | +| `docs/gitea-package-registry.md` | Python package registry publishing/install recipe and `issue-core` handoff. | Moved | Forge doc is canonical; app-side file is a compatibility pointer. | | `workplans/RAIL-AP-WP-0001-gitea-container-registry.md` | Historical implementation evidence for enabling Gitea registry in S5. | Copy pointer or archive | Keep historical record in S5, but create forge follow-up for storage/retention/restore posture. | | `workplans/RAILIANCE-WP-0006-railiance-forge-extraction.md` | Cross-repo coordination plan. | Leave plus pointer | Remains in `railiance-apps` as extraction coordinator; forge work proceeds in `FORGE-WP-*`. | @@ -67,7 +69,7 @@ target disposition for the first migration plan. | `SCOPE.md` | Currently lists Gitea as S5-owned workload. | Adapt | After migration, describe forge as upstream release infrastructure. | | `INTENT.md` | Mentions Gitea/current forge as S5 workload/learning surface. | Adapt | Keep S5 intent but remove long-term forge ownership language. | | `AGENTS.md` | Repo identity still says application Helm releases, Gitea, coulomb services. | Adapt | Update after Gitea files move. Also update task status examples to State Hub canon. | -| `Makefile` `SOPS_SENTINEL ?= $(GITEA_VALUES)` | `check-sops` currently validates Gitea SOPS values. | Adapt | Once Gitea values move, choose an S5 sentinel or make the check no-op when no SOPS file exists. | +| `Makefile` `SOPS_SENTINEL` | `check-sops` validates the forge-owned Gitea SOPS sentinel for compatibility. | Adapted | Apps points at `/home/worsch/railiance-forge/helm/gitea-values.sops.yaml`. | | `tools/check-sops.sh` | Generic SOPS sentinel check. | Leave/adapt | Useful beyond forge, but current default must change after move. | | `.custodian-brief.md` | Generated State Hub brief. | Generated | Do not edit manually; consistency sync updates it. | @@ -82,21 +84,20 @@ target disposition for the first migration plan. ## First Safe Move Candidate -The first migration should avoid live service changes and move documentation -before deployment configuration: +The first migration avoided live service changes and moved documentation before +deployment configuration: 1. Copy `docs/gitea-container-registry.md` and `docs/gitea-package-registry.md` into `railiance-forge/docs/`. 2. Replace the originals in `railiance-apps` with short compatibility pointers. 3. Add a `railiance-forge/Makefile` with read-only/status targets first. 4. Move deploy-capable Gitea targets only after the operator path is reviewed. +5. Keep app-side compatibility wrappers until operators have switched. -This gives operators a new canonical forge home while keeping current S5 app +This gives operators a canonical forge home while keeping current S5 app runbooks discoverable. ## Remote Creation Note -Creating `coulomb/railiance-forge` on the current Gitea instance is blocked: -the configured `tea` login `coulomb` exists, but the stored token is invalid as -of 2026-06-05. The local repo is initialized and State Hub-registered, but -`origin` should not be added until the remote repository exists. +`coulomb/railiance-forge` now exists and the local repo is pushed to +`gitea-remote:coulomb/railiance-forge.git`. diff --git a/docs/deploy-capable-gitea-move-review.md b/docs/deploy-capable-gitea-move-review.md index 8c5a159..759c5c2 100644 --- a/docs/deploy-capable-gitea-move-review.md +++ b/docs/deploy-capable-gitea-move-review.md @@ -2,8 +2,8 @@ Date: 2026-06-05 -Status: ready for operator review. No deploy-capable files have been moved by -this review, and no live cluster command is authorized by this document. +Status: executed as a file ownership move. No live Helm deploy, SOPS +decryption, or Kubernetes apply was run. ## Goal @@ -15,13 +15,13 @@ breaking operator muscle memory. | Current path in `railiance-apps` | Sensitivity | Proposed target | Action | |---|---:|---|---| -| `helm/gitea-values.sops.yaml` | SOPS-encrypted | `railiance-forge/helm/gitea-values.sops.yaml` | Move after confirming SOPS age access still works from the new repo. Do not decrypt into Git. | -| `helm/gitea-registry-values.yaml` | Non-secret | `railiance-forge/helm/gitea-registry-values.yaml` | Move with the registry docs. | -| `manifests/gitea-ingress.yaml` | Non-secret | `railiance-forge/manifests/gitea-ingress.yaml` | Move and update ownership labels from `railiance-apps` to `railiance-forge` if desired. | -| `releases/gitea/values.yaml` | Plaintext legacy/operator values | `railiance-forge/releases/gitea/values.yaml` or archive | Review before moving; it contains old CoulombCore-era chart notes and a placeholder password comment. | -| `make gitea-deploy` | Deploy-capable | `railiance-forge/Makefile` | Move only after app-side compatibility target is ready. | -| `make gitea-ingress-deploy` | Deploy-capable | `railiance-forge/Makefile` | Move only after app-side compatibility target is ready. | -| `make gitea-status` | Read-only | `railiance-forge/Makefile` | Already introduced as read-only target. | +| `helm/gitea-values.sops.yaml` | SOPS-encrypted | `railiance-forge/helm/gitea-values.sops.yaml` | Moved without decrypting. | +| `helm/gitea-registry-values.yaml` | Non-secret | `railiance-forge/helm/gitea-registry-values.yaml` | Moved. | +| `manifests/gitea-ingress.yaml` | Non-secret | `railiance-forge/manifests/gitea-ingress.yaml` | Moved without live apply. | +| `releases/gitea/values.yaml` | Plaintext legacy/operator values | `railiance-forge/releases/gitea/values.yaml` | Moved as legacy evidence; review before use as active deploy input. | +| `make gitea-deploy` | Deploy-capable | `railiance-forge/Makefile` | Moved; app-side target delegates. | +| `make gitea-ingress-deploy` | Deploy-capable | `railiance-forge/Makefile` | Moved; app-side target delegates. | +| `make gitea-status` | Read-only | `railiance-forge/Makefile` | Moved; app-side target delegates. | ## Proposed Target Layout @@ -98,14 +98,15 @@ the transition: - `make gitea-deploy` and `make gitea-ingress-deploy` should either delegate to forge or fail with a clear message that deploy ownership has moved. +## Resolved During Move + +- `releases/gitea/values.yaml` moved as legacy evidence, not as the preferred + active deploy input. +- `manifests/gitea-ingress.yaml` labels were left unchanged to avoid mixing the + file move with a live-facing manifest semantic change. +- The SOPS sentinel in forge points at `helm/gitea-values.sops.yaml`. + ## Open Questions -- Should `releases/gitea/values.yaml` move as an active file or be archived as - legacy evidence? -- Should `manifests/gitea-ingress.yaml` labels change from - `app.kubernetes.io/part-of: railiance-apps` to `railiance-forge` during the - move, or stay stable until the next deploy? -- Should the SOPS sentinel in forge point at `helm/gitea-values.sops.yaml` once - that file moves? - What restore-drill evidence is required before package data becomes production-critical? diff --git a/docs/first-migration-plan.md b/docs/first-migration-plan.md index ce38df7..cc765c2 100644 --- a/docs/first-migration-plan.md +++ b/docs/first-migration-plan.md @@ -2,14 +2,15 @@ Date: 2026-06-05 -Status: Phase 1 is underway. The remote repository exists and is pushed, so the -earlier Gitea API blocker no longer applies. +Status: Phases 1 through 3 are complete as file ownership moves. No live Helm +deploy, SOPS decryption, or Kubernetes apply was run. This plan starts the extraction of forge ownership from `railiance-apps` into `railiance-forge` without changing the live Gitea deployment. The rule for the first migration is simple: move knowledge and read-only -operator entry points before moving deploy-capable configuration. +operator entry points before moving deploy-capable configuration. That sequence +has now been followed. ## Goals @@ -63,18 +64,18 @@ Initial `railiance-forge/Makefile` targets: - `check-tools`: minimal local tool check for `kubectl`, `helm`, `sops`, and optional `tea`. -Do not add `gitea-deploy` in this phase. +`gitea-deploy` was intentionally deferred until Phase 3. Validation: - Targets are read-only. - Targets either succeed or fail with clear missing-tool messages. -- `railiance-apps` still owns deploy-capable Gitea targets during the - transition. +- `railiance-apps` still has compatibility wrappers during the transition. ## Phase 3 - Deploy-Capable Target Review Move deploy-capable Gitea ownership only after Phase 1 and Phase 2 are reviewed. +This is now complete as a file move. Candidate moves: @@ -123,5 +124,5 @@ aligned with `origin/main`. ## Next Recommended Action -Complete Phase 1 documentation canonicalization and Phase 2 read-only operator -targets, then review the deploy-capable Gitea file move separately. +Complete Phase 4 S5 scope cleanup and decide when compatibility wrappers in +`railiance-apps` can be retired. diff --git a/docs/gitea-container-registry.md b/docs/gitea-container-registry.md index 644230d..ebc41ae 100644 --- a/docs/gitea-container-registry.md +++ b/docs/gitea-container-registry.md @@ -1,8 +1,8 @@ # Gitea Container Registry This is the canonical Railiance operating note for the current Gitea container -registry. Compatibility pointers remain in `railiance-apps` while deploy-capable -Gitea Helm and manifest files still live there. +registry. Compatibility pointers remain in `railiance-apps`; deploy-capable +Gitea Helm and manifest files now live in this repo. ## Registry Target @@ -10,12 +10,11 @@ Use `gitea.coulomb.social` as the approved registry host. The `/v2` ingress is live as of 2026-05-15 and returns the OCI registry authentication challenge over HTTPS. -Registry-specific Gitea settings are currently carried in -`/home/worsch/railiance-apps/helm/gitea-registry-values.yaml`, a non-secret -overlay applied after the SOPS values file by `make gitea-deploy`. It explicitly -enables packages, permits container and PyPI uploads without an app-level size -cap, clears globally disabled repo units, and moves `ROOT_URL` to the HTTPS -host. +Registry-specific Gitea settings are carried in +`helm/gitea-registry-values.yaml`, a non-secret overlay applied after the SOPS +values file by `make gitea-deploy`. It explicitly enables packages, permits +container and PyPI uploads without an app-level size cap, clears globally +disabled repo units, and moves `ROOT_URL` to the HTTPS host. Image names should use the Gitea owner and package path: diff --git a/docs/gitea-package-registry.md b/docs/gitea-package-registry.md index 8e7ee5c..b19d5bb 100644 --- a/docs/gitea-package-registry.md +++ b/docs/gitea-package-registry.md @@ -1,13 +1,12 @@ # Gitea Package Registry This is the canonical Railiance operating note for the current Gitea Python -package registry. Compatibility pointers remain in `railiance-apps` while -deploy-capable Gitea Helm and manifest files still live there. +package registry. Compatibility pointers remain in `railiance-apps`; +deploy-capable Gitea Helm and manifest files now live in this repo. -Gitea package support is enabled by -`/home/worsch/railiance-apps/helm/gitea-registry-values.yaml`. That overlay is -applied after the encrypted base values by `make gitea-deploy` and enables both -container packages and Python packages. +Gitea package support is enabled by `helm/gitea-registry-values.yaml`. That +overlay is applied after the encrypted base values by `make gitea-deploy` and +enables both container packages and Python packages. ## Python Packages diff --git a/helm/gitea-registry-values.yaml b/helm/gitea-registry-values.yaml new file mode 100644 index 0000000..74020a4 --- /dev/null +++ b/helm/gitea-registry-values.yaml @@ -0,0 +1,11 @@ +# Non-secret Gitea registry settings layered after the SOPS values file. +gitea: + config: + packages: + ENABLED: true + LIMIT_SIZE_CONTAINER: -1 + LIMIT_SIZE_PYPI: -1 + repository: + DISABLED_REPO_UNITS: "" + server: + ROOT_URL: "https://gitea.coulomb.social/" diff --git a/helm/gitea-values.sops.yaml b/helm/gitea-values.sops.yaml new file mode 100644 index 0000000..30b9184 --- /dev/null +++ b/helm/gitea-values.sops.yaml @@ -0,0 +1,58 @@ +#ENC[AES256_GCM,data:jLG3K9KRtV7zKrLfJ0J42LAc17nX8UKbB2KWJSXZPFQ+5cZjA3RFbQ==,iv:Ync2fzES+Oj1L/yfSLxInef5IgQWpJdK9Wd8fTLinSU=,tag:gHEiHLzOI1eiuAhntcCU2A==,type:comment] +#ENC[AES256_GCM,data:z6zvj2FcfFTmf7D8ZgbW8Wi68s4O,iv:kwaB3n64IQR4slfLFnQqjtQO9oxm5MkVqvtt53BArqc=,tag:ftjV1jtGa57QSpLOJGGDqA==,type:comment] +#ENC[AES256_GCM,data:ty8rXwAdeJjr7wA0hXpdDOmpPVaqnCavzzO6/RI9SYpcQ3pnIsBxmIpcdx6hqbkH,iv:YDYrEMvrKX0sGIPIBYbJUdOcPwx84CFQQSmR8+QIZuA=,tag:P/0IbdxCxofZPn+OlSLU0Q==,type:comment] +#ENC[AES256_GCM,data:2LqlFLbhpKrQH0r6RrgECOpxD74+zK7Ksl26BEhsKukOYBzk8sAfHkRcH2G7Ndk/cgCJjD7Ndk7ogh1d,iv:Z7ueOEVthvm/peyDAT4XpuIvl4if346iitWne7/1HFs=,tag:ziXDL/9d00jGGxOJtK5C8Q==,type:comment] +# +#ENC[AES256_GCM,data:G6Jzdr5V/IKyvcG3j6lmD1N6i1vYrOnYWLAQ1e/gnctgMufKqcW7kJA9Cdj7Vw==,iv:093mO8+QElI5tqs6DgTJiO71OLAppbxvGafmpXlt6G0=,tag:MRzd9UupZkdsk3DRKKbp0g==,type:comment] +#ENC[AES256_GCM,data:DHEo5mRMm0hiEAR++0uJdnmMuZFuecKXfl0rrYeQxNWRAUqgjL8+y0E97Q==,iv:qh7rewpXW0XEe1wLM8nTipByShnG2SO9UGVXgm3Gcd4=,tag:FfC/iiBnaqnP5gZiYmBomA==,type:comment] +#ENC[AES256_GCM,data:7nU7Z8dZ2JP+WfTIBcc4zoEZUaaqyOiip/Vn/txJm7Eetc9mso7JGKTHSkXV/a9Kqp96yZG6mEaXoh0jFQfmX1ItJOAq6uUtUav0I76FK2coQ2lnTTpPt5LzRWH3Gw==,iv:p7/MR5adZt48uJtpuLHnydcy7af6YOcjRj9Mgknc8aw=,tag:gqvosX3nSHsDLR0E6BJ9MA==,type:comment] +gitea: + config: + server: + DOMAIN: ENC[AES256_GCM,data:PxKHJeRtHMJFvQMpDl+VFSNcRv4=,iv:L1UtCaBrEoRlyJH36Yd55b7WFhTZMUTYAP6knC6Qfxc=,tag:hFton+zOgXPF+gCzqNEKyQ==,type:str] + ROOT_URL: ENC[AES256_GCM,data:tDJQG/468fYtXlyKGcl43bmMALvlEJhgxM4/,iv:4u4WzQbZZ1utshFrdtTXmxYMHSX9Mei5rq1I+z8iwpY=,tag:ibrCAk7esdOArFrhB4Qi3w==,type:str] + SSH_DOMAIN: ENC[AES256_GCM,data:bz41+PZAvGMoJPcNPpSMPfi5L5A=,iv:qG78QHcxFgxmgv+hOcAR3JadM5fL4euBtXk392ILI7A=,tag:M23NRlCTxcAchTfE8S5nKg==,type:str] + database: + DB_TYPE: ENC[AES256_GCM,data:A9DE1lAHDLQ=,iv:BJz5BmhvZBNmZ/wL/f/160tNFUN1QOS+cj4jmCrxILA=,tag:D8XHegqVEOYTtMScKoRkeg==,type:str] + HOST: ENC[AES256_GCM,data:eWWPMjljR4EY63qUmXvtS5VW7evpP261nOCiLljy79Ft+j8pwkAnEA2+iaY=,iv:cJIB2SbEIA+BeAViwJZNP+eOhTP1Y3vFgN8JKGUKQWE=,tag:Ej1YhpzuNcJXy9jbg8LnIw==,type:str] + NAME: ENC[AES256_GCM,data:8Zp5FNs=,iv:qhrWkp15Oy0SsCiJvGsUBg4vv6X0ez2x2NWqk3XUsno=,tag:4qj1XQf8vHkDGynjUa9JVg==,type:str] + USER: ENC[AES256_GCM,data:m4Ln0J8=,iv:BmNO265BQVtTCIIF/T5fbNRZBEPZz8tPSeam7ToVSAM=,tag:Lwr7AxxckJ3B/Ff4l+FNIg==,type:str] + PASSWD: ENC[AES256_GCM,data:tIKMvA4=,iv:FxnmkHazpThExFgsRqeMfFQhTbhPH6+o0fK9xURwqBs=,tag:1mohGBT+ynExzUoM3CtU5Q==,type:str] + SSL_MODE: ENC[AES256_GCM,data:MHrNNVnCUw==,iv:V5voIFrtJicropHf5FpTWlq6Gk+Vvw1z7ax24fAzcAU=,tag:/DoDYoBb/tv9egi1lJ7xdw==,type:str] + cache: + ADAPTER: ENC[AES256_GCM,data:mFEneE8=,iv:fwJm8bK1QH8WoVbFa2oCRQivdVkw0RjPVFNPc5Ecn5U=,tag:XhgsZmHoaReE43JJb9XdGw==,type:str] + HOST: ENC[AES256_GCM,data:0dx6Jh8lf/VWCEUMCi48oJdB0Yfkrk0zkkyVI9pRJeUV3y6XRZnTYP/e0zTXxhMfXS3bNnGqacZSelgVy4jc7pl354iU94EcIz1Rh2x3bs0W18rzMy5ATuOhdhnlY/Ly1BSWwPkldEPTSw==,iv:cyAPLzWPOeJo7LDXaw27in4IblZxcR3pVXPegqV9Vp4=,tag:UYSmXMDDkPWXE3fO+z6MiA==,type:str] + session: + PROVIDER: ENC[AES256_GCM,data:I/43BCQ=,iv:IHbcRbE8C8g8h5sTOyKqUafEVZ6QJuLo71j69Z49AIw=,tag:oiz4f/BF827YbH5jJKp8uQ==,type:str] + PROVIDER_CONFIG: ENC[AES256_GCM,data:2Qu3Fd7Fov5Qw/E/YXwvynwojFwZpWyOvlvKmRs03Ir8usjlRctRCvfcmW3g8EolkY2xQhmZzd9All/33nJMetA1bZ0MAU5ct5U1tkxiOBEcrruix8WzuokQi+5cPxTfu0bHZYDvrtlpIQ==,iv:3xDoJeUa5OLN9dGJEIqIK2SN9bVZE9Gf2sP1rOYyzEk=,tag:D+9iPT+YYxOOOZckqO+KbQ==,type:str] + queue: + TYPE: ENC[AES256_GCM,data:lk3WVMg=,iv:vy2hD1xZf123IwqWbI3a9cI1GUmMpOc+Klw80seQj44=,tag:Y2WkIaCszv201aV7NRPPtw==,type:str] + CONN_STR: ENC[AES256_GCM,data:/vl9QR4MYnGngiIhXT2bum1rWXZwNz/FyqfWG8QmdKrpNE+vquXWACFiTWhH9Hf8g+OUWzaOqZqn+ph8yZNHFaZqzBNZPyGyyVk7sU1SeUs0iUhPf29/jQGRFHOxxFSx/2FIVVblMhtA7A==,iv:WUx7iG2LqxdoPDNDbhk/tVhRWqgIXjCePMHOM4SpicU=,tag:Xnk7qomvqys2APA4t5Vf9A==,type:str] +postgresql-ha: + enabled: ENC[AES256_GCM,data:f0h+GvU=,iv:RDIU37NlWBC1KE3eFSZJxiAkudEIgtwLAicfOcYDcVI=,tag:7GlCCxpNXjyP/tuwG+aA6A==,type:bool] +postgresql: + enabled: ENC[AES256_GCM,data:P4WyaR0=,iv:iIiB5j0ZJrizO1LTzGUp1u1i+8L8AispkEUT2sr1gws=,tag:HqNdr1rPSgb8xAv7jhL1UA==,type:bool] +redis-cluster: + enabled: ENC[AES256_GCM,data:7h2ZNb0=,iv:qOWCgiCfnbv79EddfSNbBKT/q8JB24gMKfmlEX0g++U=,tag:iNW/PRCqRBX2oPop1ERALg==,type:bool] +valkey-cluster: + enabled: ENC[AES256_GCM,data:9ffS+Mo=,iv:GVVBb/JN1Zzj4h6j0jVpoMMHnkFpsJdr5VgSpUXhmUY=,tag:N9vypan+ueWk+RcpL5K6Fw==,type:bool] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1aq8twfd78wvpra0had8cezcnj96tj4q0068edrz5jez8d6xwmflqdepsh4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVbHdUNmpkaFozVDJMY2tG + TlVBeUJNSlJPcTR5aXhVMkN1MUVLMHJ3NXdVClhkdDhGVTJ6NEdWeGVHeEo2SkZB + aldWZ25kK3JDcWxsL0Q2c3BYbGI2c2cKLS0tIDU5bEdxTjVvKzlSUlpIZGhRMS9Q + MnNPMnl0SEc3NVRvVHJhNW53aWxiWTAK2TIz10Md0eNyTzpuxml1CDvCW9Cq6gEt + 8zHyWNA1LayXct2mvcgVmMWyO8+nl7ZIaqhZHGNzC0cLaOqwD2o4bQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-27T09:02:37Z" + mac: ENC[AES256_GCM,data:a1pdWiw64d16D1IFRd8PskvOsjAP6YFBzGZICfaN4ABHiQfNeIrSfeYxtvF6SwfK2bXxIfEcvC2Ofl6VKQtXwftmu1jruZeXSGtpAybwsVx8XPxmJNWKJwpfQaSUoE+/Wg1nmpJYBVUPDhVUwnGumnYQB+sXLdrMQD24HjbT4Zc=,iv:ETirgEDjX4aWNLVe1n86jsU2ShdWY728YMgBkMl4JSE=,tag:jX052pHamAbdaB8wJbYaSA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/manifests/gitea-ingress.yaml b/manifests/gitea-ingress.yaml new file mode 100644 index 0000000..ac76e63 --- /dev/null +++ b/manifests/gitea-ingress.yaml @@ -0,0 +1,29 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: gitea + namespace: default + labels: + app.kubernetes.io/name: gitea + app.kubernetes.io/instance: gitea + app.kubernetes.io/part-of: railiance-apps + railiance/component: gitea-registry + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod +spec: + ingressClassName: traefik + rules: + - host: gitea.coulomb.social + http: + paths: + - path: /v2 + pathType: Prefix + backend: + service: + name: gitea + port: + number: 3000 + tls: + - hosts: + - gitea.coulomb.social + secretName: gitea-tls diff --git a/releases/gitea/values.yaml b/releases/gitea/values.yaml new file mode 100644 index 0000000..c70ec6f --- /dev/null +++ b/releases/gitea/values.yaml @@ -0,0 +1,20 @@ +# Gitea Helm values — COULOMBCORE cluster +# Chart: gitea/gitea version: 12.5.0 +# Release name: gitea namespace: default +# +# Applied via: +# helm upgrade gitea gitea/gitea --version 12.5.0 -n default -f releases/gitea/values.yaml + +postgresql-ha: + pgpool: + adminPassword: changeme4 # TODO: move to sealed secret / external secret + + # Right-sized for single-node COULOMBCORE (2 vCPU budget is tight). + # Default was 250m request which caused scheduling failures — see INC-001. + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + cpu: 200m + memory: 384Mi diff --git a/workplans/FORGE-WP-0002-registry-docs-and-readonly-ops.md b/workplans/FORGE-WP-0002-registry-docs-and-readonly-ops.md index 3b58eaf..bf21513 100644 --- a/workplans/FORGE-WP-0002-registry-docs-and-readonly-ops.md +++ b/workplans/FORGE-WP-0002-registry-docs-and-readonly-ops.md @@ -4,7 +4,7 @@ type: workplan title: "Canonical registry docs and read-only forge operations" domain: railiance repo: railiance-forge -status: active +status: finished owner: codex topic_slug: railiance planning_priority: high @@ -105,7 +105,7 @@ competing canonical sources. ```task id: FORGE-WP-0002-T05 -status: todo +status: done priority: high state_hub_task_id: "6f6fc3a4-a883-4803-84e7-2700629d397a" ``` @@ -115,3 +115,8 @@ After operator review, move deploy-capable Gitea files and commands into Done when `railiance-forge` owns Gitea deploy/status/ingress commands and `railiance-apps` no longer carries live forge deployment files as S5 scope. + +Completed on 2026-06-05. The Gitea SOPS values, registry overlay, ingress +manifest, legacy release values, and deploy/status Makefile targets now live in +`railiance-forge`. `railiance-apps` keeps compatibility wrappers only. No live +deploy, SOPS decryption, or Kubernetes apply was run.