infra: route registry internally and restrict public v2

2026-03-15 09:17:02 -06:00 · 2026-03-15 09:17:02 -06:00 · c340d176d4
parent f4b5fe72c9
commit c340d176d4
2 changed files with 28 additions and 1 deletions
--- a/k8s/jam-cloud-infra/act-runner-config.yaml
+++ b/k8s/jam-cloud-infra/act-runner-config.yaml
@ -19,6 +19,6 @@ data:
      network: ""
      privileged: true
      force_pull: true
-      options: "-v /var/run/docker/docker.sock:/var/run/docker/docker.sock -e DOCKER_HOST=unix:///var/run/docker/docker.sock"
+      options: "-v /var/run/docker/docker.sock:/var/run/docker/docker.sock -e DOCKER_HOST=unix:///var/run/docker/docker.sock --add-host git.staging.jamkazam.com:10.128.139.89"
      valid_volumes:
        - "**"
--- a/k8s/jam-cloud-infra/gitea.yaml
+++ b/k8s/jam-cloud-infra/gitea.yaml
@ -195,3 +195,30 @@ spec:
      http: *gitea_path
    - host: console.staging.jamkazam.com
      http: *gitea_path
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: gitea-registry
+  namespace: jam-cloud-infra
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-nginx-production
+    nginx.ingress.kubernetes.io/proxy-body-size: "2048m"
+    nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/8,45.79.40.57/32,72.14.186.114/32,72.14.183.169/32,173.255.203.158/32,173.255.203.99/32"
+spec:
+  ingressClassName: nginx
+  tls:
+    - secretName: gitea-tls
+      hosts:
+        - git.staging.jamkazam.com
+  rules:
+    - host: git.staging.jamkazam.com
+      http:
+        paths:
+          - path: /v2/
+            pathType: Prefix
+            backend:
+              service:
+                name: gitea
+                port:
+                  number: 80