coulomb/railiance-forge
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6468b824f3d7e89e0bce7590eeab2145353f8dda
railiance-forge/docs/deploy-capable-gitea-move-review.md

3.7 KiB
Raw Blame History

Deploy-Capable Gitea Move Review

Date: 2026-06-05

Status: executed as a file ownership move. No live Helm deploy, SOPS decryption, or Kubernetes apply was run.

Goal

Move current Gitea deployment ownership from railiance-apps to railiance-forge without changing live service state, exposing secrets, or breaking operator muscle memory.

Candidate Inventory

Current path in railiance-apps Sensitivity Proposed target Action
helm/gitea-values.sops.yaml SOPS-encrypted railiance-forge/helm/gitea-values.sops.yaml Moved without decrypting.
helm/gitea-registry-values.yaml Non-secret railiance-forge/helm/gitea-registry-values.yaml Moved.
manifests/gitea-ingress.yaml Non-secret railiance-forge/manifests/gitea-ingress.yaml Moved without live apply.
releases/gitea/values.yaml Plaintext legacy/operator values railiance-forge/releases/gitea/values.yaml Moved as legacy evidence; review before use as active deploy input.
make gitea-deploy Deploy-capable railiance-forge/Makefile Moved; app-side target delegates.
make gitea-ingress-deploy Deploy-capable railiance-forge/Makefile Moved; app-side target delegates.
make gitea-status Read-only railiance-forge/Makefile Moved; app-side target delegates.

Proposed Target Layout

railiance-forge/
  helm/
    gitea-values.sops.yaml
    gitea-registry-values.yaml
  manifests/
    gitea-ingress.yaml
  releases/
    gitea/
      values.yaml

Keep deploy-capable commands in the forge Makefile:

gitea-deploy
gitea-ingress-deploy
gitea-status

Leave app-side compatibility targets in railiance-apps for one transition window. They should either print the new command location or delegate to make -C /home/worsch/railiance-forge <target>.

Review Gates

  • Operator confirms that current Gitea runtime ownership belongs in railiance-forge, not S5.
  • railiance-forge has the pushed remote and State Hub workplans synced.
  • sops -d helm/gitea-values.sops.yaml works from the new path for authorized operators.
  • Helm render validation works from the new repo without committing decrypted values.
  • App-side compatibility pointers exist before old commands disappear.
  • The move is kept separate from any Forgejo migration or cutover.

Validation Plan

Run these after the files move:

git diff --check
make -C /home/worsch/state-hub fix-consistency REPO=railiance-forge
make -C /home/worsch/state-hub fix-consistency REPO=railiance-apps

Render without writing decrypted secrets into the repo:

helm template gitea gitea-charts/gitea \
  --namespace default \
  -f <(sops -d helm/gitea-values.sops.yaml) \
  -f helm/gitea-registry-values.yaml

Inspect live state without applying changes:

make gitea-status
kubectl diff -f manifests/gitea-ingress.yaml --server-side

Compatibility Plan

railiance-apps should keep short files or targets at the old locations during the transition:

  • docs/gitea-container-registry.md points to forge docs.
  • docs/gitea-package-registry.md points to forge docs.
  • make gitea-status may delegate to forge.
  • make gitea-deploy and make gitea-ingress-deploy should either delegate to forge or fail with a clear message that deploy ownership has moved.

Resolved During Move

  • releases/gitea/values.yaml moved as legacy evidence, not as the preferred active deploy input.
  • manifests/gitea-ingress.yaml labels were left unchanged to avoid mixing the file move with a live-facing manifest semantic change.
  • The SOPS sentinel in forge points at helm/gitea-values.sops.yaml.

Open Questions

  • What restore-drill evidence is required before package data becomes production-critical?
Reference in New Issue View Git Blame Copy Permalink