From a1b55776fa963f6eec7eaf38a05a98f44ac01f60 Mon Sep 17 00:00:00 2001 From: tegwick Date: Sat, 13 Jun 2026 18:52:58 +0200 Subject: [PATCH] Standardize public Gitea HTTPS endpoint --- Makefile | 2 +- SCOPE.md | 10 +- docs/current-forge-asset-inventory.md | 4 +- docs/gitea-actions-runner-evidence.md | 4 + docs/gitea-container-registry.md | 9 +- docs/gitea-package-registry.md | 15 +-- docs/observability-operating-evidence.md | 4 +- manifests/gitea-ingress.yaml | 11 +- ...ORGE-WP-0004-public-gitea-root-endpoint.md | 116 ++++++++++++++++++ 9 files changed, 152 insertions(+), 23 deletions(-) create mode 100644 workplans/FORGE-WP-0004-public-gitea-root-endpoint.md diff --git a/Makefile b/Makefile index f12e3a8..70c4277 100644 --- a/Makefile +++ b/Makefile @@ -84,7 +84,7 @@ gitea-deploy: ## Deploy / upgrade current Gitea forge runtime -f $(GITEA_REGISTRY_VALUES) \ --namespace $(GITEA_NAMESPACE) --create-namespace -gitea-ingress-deploy: ## Apply the Gitea OCI registry ingress +gitea-ingress-deploy: ## Apply the public Gitea HTTPS ingress kubectl apply -f $(GITEA_INGRESS) gitea-status: ## Read-only status for current Gitea runtime and database diff --git a/SCOPE.md b/SCOPE.md index 2e8d025..55909ff 100644 --- a/SCOPE.md +++ b/SCOPE.md @@ -3,7 +3,7 @@ This file defines what `railiance-forge` owns, when to use it, and where its boundaries stop. -Last reviewed: 2026-06-05 +Last reviewed: 2026-06-13 --- @@ -116,15 +116,15 @@ The Fabric graph declarations for forge capabilities and edges live in - Status: active forge extraction. - Implementation: repository contract, registry docs, initial operating contracts, deploy-capable Gitea files, and operator targets are present. -- Stability: emerging but non-disruptive; files moved without any Helm deploy, - SOPS decryption, or Kubernetes apply. +- Stability: emerging but now live-facing; forge owns the reviewed public + Gitea HTTPS ingress for the web UI, package registry, and OCI registry. - Usage: canonical reference point for forge and registry responsibilities currently transitioning out of `railiance-apps`. Known starting point: -- `railiance-forge` owns Gitea Helm values, registry overlays, ingress, - operating contracts, and deploy/status entry points. +- `railiance-forge` owns Gitea Helm values, registry overlays, public HTTPS + ingress, operating contracts, and deploy/status entry points. - `railiance-apps` keeps app release ownership and transitional compatibility wrappers for old Gitea commands. - `railiance-enablement` owns the intent for delivery templates and developer diff --git a/docs/current-forge-asset-inventory.md b/docs/current-forge-asset-inventory.md index a7d04e8..99412fc 100644 --- a/docs/current-forge-asset-inventory.md +++ b/docs/current-forge-asset-inventory.md @@ -27,11 +27,11 @@ while app-release ownership remains there. |-------|--------------|--------------------|-------| | `helm/gitea-values.sops.yaml` | SOPS-encrypted Gitea Helm values. | Moved | Now `railiance-forge/helm/gitea-values.sops.yaml`; moved without decrypting. | | `helm/gitea-registry-values.yaml` | Non-secret overlay enabling Gitea package/container registry behavior. | Moved | Now `railiance-forge/helm/gitea-registry-values.yaml`. | -| `manifests/gitea-ingress.yaml` | Registry-facing Gitea ingress for `/v2`. | Moved | Now `railiance-forge/manifests/gitea-ingress.yaml`; labels left unchanged until next reviewed deploy. | +| `manifests/gitea-ingress.yaml` | Public Gitea HTTPS ingress for `/`, `/api/packages`, and `/v2`. | Moved | Now `railiance-forge/manifests/gitea-ingress.yaml`; labels reconciled to forge ownership during the reviewed public-root deploy. | | `releases/gitea/values.yaml` | Legacy/plain Gitea release values reference. | Moved | Now `railiance-forge/releases/gitea/values.yaml`; review before using as active deploy input. | | `Makefile` variables `GITEA_*` | Gitea release/chart/value/ingress defaults. | Moved | Forge owns canonical variables; apps keeps only release/name compatibility variables. | | `make gitea-deploy` | Deploy/upgrade current Gitea release. | Moved | Forge owns target; apps delegates during compatibility window. | -| `make gitea-ingress-deploy` | Apply Gitea registry ingress. | Moved | Forge owns target; apps delegates during compatibility window. | +| `make gitea-ingress-deploy` | Apply public Gitea HTTPS ingress. | Moved | Forge owns target; apps delegates during compatibility window. | | `make gitea-status` | Check Gitea pod/service/ingress and `gitea-db` status. | Moved | Forge owns target; apps delegates during compatibility window. | ## Copy With Compatibility Pointer diff --git a/docs/gitea-actions-runner-evidence.md b/docs/gitea-actions-runner-evidence.md index 52093e8..0c93332 100644 --- a/docs/gitea-actions-runner-evidence.md +++ b/docs/gitea-actions-runner-evidence.md @@ -29,6 +29,10 @@ Collected from `/home/worsch/railiance-forge` on 2026-06-07. Public endpoint checks from this environment: +Historical note: the root/API `404` results below were collected before +`FORGE-WP-0004` made `https://gitea.coulomb.social/` the standard public Gitea +web endpoint on 2026-06-13. + | Endpoint | Result | Interpretation | | --- | --- | --- | | `https://gitea.coulomb.social/` | HTTP `404` | Public root route is not a useful Gitea web health signal here. | diff --git a/docs/gitea-container-registry.md b/docs/gitea-container-registry.md index 604f1c8..5c88ccc 100644 --- a/docs/gitea-container-registry.md +++ b/docs/gitea-container-registry.md @@ -6,15 +6,16 @@ Gitea Helm and manifest files now live in this repo. ## Registry Target -Use `gitea.coulomb.social` as the approved registry host. The `/v2` ingress is -live as of 2026-05-15 and returns the OCI registry authentication challenge over -HTTPS. +Use `gitea.coulomb.social` as the approved forge and registry host. The public +ingress serves the Gitea web route at `https://gitea.coulomb.social/`, the OCI +registry route at `/v2`, and the Python package route at `/api/packages`. The +`/v2` route returns the OCI registry authentication challenge over HTTPS. Registry-specific Gitea settings are carried in `helm/gitea-registry-values.yaml`, a non-secret overlay applied after the SOPS values file by `make gitea-deploy`. It explicitly enables packages, permits container and PyPI uploads without an app-level size cap, clears globally -disabled repo units, and moves `ROOT_URL` to the HTTPS host. +disabled repo units, and keeps `ROOT_URL` on the HTTPS host. Image names should use the Gitea owner and package path: diff --git a/docs/gitea-package-registry.md b/docs/gitea-package-registry.md index 7fd3a05..17b54ce 100644 --- a/docs/gitea-package-registry.md +++ b/docs/gitea-package-registry.md @@ -8,14 +8,15 @@ Gitea package support is enabled by `helm/gitea-registry-values.yaml`. That overlay is applied after the encrypted base values by `make gitea-deploy` and enables both container packages and Python packages. -The public ingress intentionally exposes `/api/packages` and `/v2` only. The -package route is required for Python package upload and install traffic; the -general Gitea web UI and API remain outside this ingress manifest. +The public ingress exposes the Gitea web route at +`https://gitea.coulomb.social/`, the Python package route at `/api/packages`, +and the OCI registry route at `/v2`. The standard endpoint is HTTPS; if package +simple-index pages render `http://gitea.coulomb.social/...` artifact links, +reconcile the Gitea Helm release with `helm/gitea-registry-values.yaml` so +`ROOT_URL` is restored to the HTTPS host. -The live simple-index pages currently render package artifact links with -`http://gitea.coulomb.social/...`. `uv lock` and clean `pip install` checks work -against the public package route, but the next Gitea config reconciliation -should align `ROOT_URL` with the HTTPS package endpoint. +Status on 2026-06-13: the root web route returns `200`, live `ROOT_URL` is +`https://gitea.coulomb.social/`, and package artifact links render HTTPS URLs. ## Python Packages diff --git a/docs/observability-operating-evidence.md b/docs/observability-operating-evidence.md index 1714b85..5e348e3 100644 --- a/docs/observability-operating-evidence.md +++ b/docs/observability-operating-evidence.md @@ -1,6 +1,6 @@ # Forge Observability And Operating Evidence -Last reviewed: 2026-06-07 +Last reviewed: 2026-06-13 Status: contract v1. This document defines checks, evidence, and future monitoring expectations. It does not authorize a live monitoring deployment, @@ -44,7 +44,7 @@ Railiance cluster. Additional checks should stay read-only: ```bash -# Web/API health: expect HTTP 200/3xx for the web route, not 5xx. +# Web/API health: expect HTTP 200/3xx for the web route, not 404/5xx. curl -fsSI https://gitea.coulomb.social/ curl -fsS https://gitea.coulomb.social/api/v1/version diff --git a/manifests/gitea-ingress.yaml b/manifests/gitea-ingress.yaml index 8adaade..b799778 100644 --- a/manifests/gitea-ingress.yaml +++ b/manifests/gitea-ingress.yaml @@ -6,8 +6,8 @@ metadata: labels: app.kubernetes.io/name: gitea app.kubernetes.io/instance: gitea - app.kubernetes.io/part-of: railiance-apps - railiance/component: gitea-registry + app.kubernetes.io/part-of: railiance-forge + railiance/component: gitea-public-endpoint annotations: cert-manager.io/cluster-issuer: letsencrypt-prod spec: @@ -30,6 +30,13 @@ spec: name: gitea port: number: 3000 + - path: / + pathType: Prefix + backend: + service: + name: gitea + port: + number: 3000 tls: - hosts: - gitea.coulomb.social diff --git a/workplans/FORGE-WP-0004-public-gitea-root-endpoint.md b/workplans/FORGE-WP-0004-public-gitea-root-endpoint.md new file mode 100644 index 0000000..cf86955 --- /dev/null +++ b/workplans/FORGE-WP-0004-public-gitea-root-endpoint.md @@ -0,0 +1,116 @@ +--- +id: FORGE-WP-0004 +type: workplan +title: "Standard public Gitea HTTPS root endpoint" +domain: railiance +repo: railiance-forge +status: finished +owner: codex +topic_slug: railiance +planning_priority: high +created: "2026-06-13" +updated: "2026-06-13" +state_hub_workstream_id: "10a11cbb-9c2b-496b-af6a-dc934aeee68b" +--- + +# Standard public Gitea HTTPS root endpoint + +## Context + +Before this workplan, `https://gitea.coulomb.social/` returned `404` because +the forge-owned ingress only routed package and OCI registry paths. The Helm +overlay already declared `ROOT_URL: "https://gitea.coulomb.social/"`, so the +deployment standard now makes the public Gitea web route, Python package route, +and OCI registry route part of the same forge-owned endpoint contract. + +## T01 - Set the public endpoint contract + +```task +id: FORGE-WP-0004-T01 +status: done +priority: high +state_hub_task_id: "f0125038-cf5b-4c8b-a90f-c3f3bedfc386" +``` + +Define the standard public Gitea endpoint as: + +- `https://gitea.coulomb.social/` for the web UI and normal Gitea web/API + routes; +- `https://gitea.coulomb.social/api/packages/...` for package publication and + installation; +- `https://gitea.coulomb.social/v2/` for OCI registry clients. + +This explicitly supersedes the temporary registry-only ingress posture. + +## T02 - Update forge-owned deployment files + +```task +id: FORGE-WP-0004-T02 +status: done +priority: high +state_hub_task_id: "225707ce-10b5-41e3-809d-55f4b3a52c80" +``` + +Add a `/` catch-all path to `manifests/gitea-ingress.yaml`, keep the explicit +`/api/packages` and `/v2` paths visible for operator clarity, and reconcile the +ingress labels from the earlier `railiance-apps` extraction to +`railiance-forge` ownership. + +Done when the manifest and operator docs describe the root web endpoint as the +standard deployment shape. + +Completed on 2026-06-13. The ingress manifest now routes `/`, `/api/packages`, +and `/v2` to the Gitea service, and the ingress labels identify +`railiance-forge` ownership. Forge docs and operator target wording now describe +the public endpoint as web, package, and OCI registry surface rather than a +registry-only ingress. + +## T03 - Apply and verify the live endpoint + +```task +id: FORGE-WP-0004-T03 +status: done +priority: high +state_hub_task_id: "9d1cd8e6-80da-4ded-9ae7-ddfeb64af0ae" +``` + +Apply the reviewed ingress and, if needed, reconcile the Gitea Helm release so +`ROOT_URL` remains the HTTPS host. Verify: + +- root URL returns `200` or an expected redirect; +- `/api/v1/version` is reachable; +- `/v2/` still returns an OCI authentication challenge; +- the package-specific PyPI simple index for `issue-core` still returns `200`. + +Completed on 2026-06-13. `kubectl apply -f manifests/gitea-ingress.yaml` +configured the public root path. A pinned Helm `--reuse-values` upgrade kept +chart `gitea-12.5.0` and app `1.25.4` while overriding only +`gitea.config.server.ROOT_URL=https://gitea.coulomb.social/`; Gitea rolled to +Helm revision 7. + +Verification evidence: + +- `https://gitea.coulomb.social/` returned `200`; +- `https://gitea.coulomb.social/api/v1/version` returned `200` with + `{"version":"1.25.4"}`; +- `https://gitea.coulomb.social/v2/` returned `401`, preserving the OCI auth + challenge; +- `https://gitea.coulomb.social/api/packages/coulomb/pypi/simple/issue-core/` + returned `200`; +- live `ROOT_URL` is `https://gitea.coulomb.social/`; +- the Gitea web UI bootstrap and `issue-core==0.2.0` package artifact links now + render HTTPS URLs. + +## T04 - Sync State Hub and record evidence + +```task +id: FORGE-WP-0004-T04 +status: done +priority: medium +state_hub_task_id: "ad4b9574-89fd-4ced-8dde-3b0d5a9a555a" +``` + +Run State Hub consistency sync for `railiance-forge` and record a progress note +with non-secret verification evidence. + +Completed on 2026-06-13 after the live endpoint verification.