99 lines
3.3 KiB
YAML
99 lines
3.3 KiB
YAML
# bp-gitea — Catalyst Blueprint #10 of 11. Per-Sovereign Git server with
|
|
# the public Blueprint catalog mirror seeded. Catalyst's catalog-svc reads
|
|
# Blueprint metadata from this Gitea (not from the public openova monorepo
|
|
# directly) so the Sovereign is air-gap-ready by construction.
|
|
#
|
|
# Wrapper chart: platform/gitea/chart/
|
|
|
|
---
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: gitea
|
|
labels:
|
|
catalyst.openova.io/sovereign: ${SOVEREIGN_FQDN}
|
|
---
|
|
apiVersion: source.toolkit.fluxcd.io/v1beta2
|
|
kind: HelmRepository
|
|
metadata:
|
|
name: bp-gitea
|
|
namespace: flux-system
|
|
spec:
|
|
type: oci
|
|
interval: 15m
|
|
url: oci://ghcr.io/openova-io
|
|
secretRef:
|
|
name: ghcr-pull
|
|
---
|
|
apiVersion: helm.toolkit.fluxcd.io/v2
|
|
kind: HelmRelease
|
|
metadata:
|
|
name: bp-gitea
|
|
namespace: flux-system
|
|
labels:
|
|
catalyst.openova.io/slot: "10"
|
|
spec:
|
|
interval: 15m
|
|
releaseName: gitea
|
|
targetNamespace: gitea
|
|
dependsOn:
|
|
- name: bp-keycloak
|
|
# bp-gateway-api (issue #503): chart ships an HTTPRoute template;
|
|
# gateway.networking.k8s.io/v1 CRDs must be registered first.
|
|
- name: bp-gateway-api
|
|
# bp-cnpg (issue #584): chart ships a CNPG Cluster CR;
|
|
# postgresql.cnpg.io/v1 CRD must be registered before bp-gitea
|
|
# applies so the Capabilities gate in cnpg-cluster.yaml creates
|
|
# the Cluster rather than skipping it silently.
|
|
- name: bp-cnpg
|
|
chart:
|
|
spec:
|
|
chart: bp-gitea
|
|
# 1.2.5: gitea-admin-secret carries reflector.v1.k8s.emberstack.com
|
|
# annotations so bp-reflector mirrors it into the catalyst ns where
|
|
# bp-self-sovereign-cutover Step 1 gitea-mirror Job mounts it. K8s
|
|
# forbids cross-namespace secretKeyRef; reflector is the canonical
|
|
# platform-level mirror. Caught live on otech103 2026-05-04.
|
|
version: 1.2.8
|
|
sourceRef:
|
|
kind: HelmRepository
|
|
name: bp-gitea
|
|
namespace: flux-system
|
|
# Event-driven install: Gitea PostgreSQL DB init + admin user creation +
|
|
# public Blueprint catalog mirror seeding is legitimately multi-minute.
|
|
# Helm install completes when manifests apply; downstream dependsOn
|
|
# checks Ready=True independently. Replaces PR #221 spec.timeout: 15m.
|
|
install:
|
|
disableWait: true
|
|
timeout: 15m
|
|
remediation:
|
|
retries: 3
|
|
upgrade:
|
|
disableWait: true
|
|
timeout: 15m
|
|
remediation:
|
|
retries: 3
|
|
values:
|
|
global:
|
|
sovereignFQDN: ${SOVEREIGN_FQDN}
|
|
# Per-Sovereign overrides — issue #387:
|
|
# Cilium Gateway HTTPRoute exposes Gitea at gitea.${SOVEREIGN_FQDN}.
|
|
# Upstream chart's own Ingress is disabled (gitea.ingress.enabled=false
|
|
# in platform/gitea/chart/values.yaml) — Sovereigns ingress through
|
|
# cilium-gateway from clusters/_template/bootstrap-kit/01-cilium.yaml.
|
|
gateway:
|
|
host: gitea.${SOVEREIGN_FQDN}
|
|
# DoD D25 (t129 2026-05-16): override the chart's baked dev hostname
|
|
# `gitea.catalyst.local` so the Gitea Web UI renders the LIVE
|
|
# Sovereign FQDN in pageData.appUrl, clone URLs, and internal links.
|
|
# Without this every Sovereign's Gitea page told the operator to
|
|
# clone from `gitea.catalyst.local` (which public DNS can't resolve),
|
|
# breaking the canonical "Sovereign-local Git server" contract that
|
|
# bp-self-sovereign-cutover relies on.
|
|
gitea:
|
|
gitea:
|
|
config:
|
|
server:
|
|
DOMAIN: gitea.${SOVEREIGN_FQDN}
|
|
ROOT_URL: https://gitea.${SOVEREIGN_FQDN}
|