Add new infra architecture 8

2026-01-19 22:28:53 +01:00
parent 012aca0d6a
commit 52b8abdc0e
18 changed files with 810 additions and 148 deletions
--- a/infrastructure/cicd/gitea/values.yaml
+++ b/infrastructure/cicd/gitea/values.yaml
@@ -8,6 +8,11 @@
 #
 # NOTE: The namespace is determined by the -n flag during helm install, not in this file.

+# Use regular Gitea image instead of rootless to ensure registry functionality
+# Rootless images don't support container registry due to security restrictions
+image:
+  rootless: false
+
 service:
  http:
    type: ClusterIP
@@ -15,9 +20,12 @@ service:
  ssh:
    type: ClusterIP
    port: 2222
+  # NOTE: Gitea's container registry is served on port 3000 (same as HTTP) under /v2/
+  # The registry.PORT in gitea config is NOT used for external access
+  # Registry authentication and API is handled by the main HTTP service

 ingress:
-  enabled: false
+  enabled: false  # Disable Gitea's built-in ingress - use common ingress instead

 persistence:
  enabled: true
@@ -39,16 +47,27 @@ gitea:
    server:
      DOMAIN: gitea.bakery-ia.local
      SSH_DOMAIN: gitea.bakery-ia.local
-      # Use HTTP internally; TLS termination happens at ingress
-      ROOT_URL: http://gitea.bakery-ia.local
+      # Use HTTPS for external access; TLS termination happens at ingress
+      ROOT_URL: https://gitea.bakery-ia.local
      HTTP_PORT: 3000
-      # For external HTTPS access via ingress, set:
-      # ROOT_URL: https://gitea.bakery-ia.local
+      # Enable package registry
+      PACKAGES_ENABLED: true
+      # Disable built-in HTTPS since ingress handles TLS
+      PROTOCOL: http
    repository:
      ENABLE_PUSH_CREATE_USER: true
      ENABLE_PUSH_CREATE_ORG: true
    packages:
      ENABLED: true
+    registry:
+      ENABLE: true
+      ROOT: /var/lib/gitea-registry
+      STORAGE_TYPE: local
+      # NOTE: PORT config here is internal - registry is accessed via HTTP port on /v2/ path
+    # Additional registry configuration for proper external access
+    docker:
+      ENABLE: true
+      REGISTRY_SSL_REDIRECT: false  # SSL termination happens at ingress
    webhook:
      ALLOWED_HOST_LIST: "*"
      # Allow internal cluster URLs for Tekton EventListener