Add Gitea self-hosted git/CI/registry to replace GitHub

Deploy Gitea via Helm with dedicated CloudNativePG database,
in-cluster Actions runner (DinD), and built-in container registry.
ArgoCD repoURLs updated to use in-cluster Gitea SSH. Preview
ApplicationSet switched from GitHub PR generator to Gitea PR
generator. App images now pull from gitea.coreworlds.io registry.

Remaining setup after deploy: seal runner token, ArgoCD API token,
and registry pull secret once Gitea is running. Add ArgoCD deploy
key to Gitea repo settings.

infra/kubernetes/platform/gitea-pg/cluster.yaml

@@ -0,0 +1,44 @@
+# Prerequisites: CloudNativePG operator must be installed first.
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: gitea-pg
+  namespace: platform
+spec:
+  instances: 1
+  primaryUpdateStrategy: unsupervised
+
+  storage:
+    storageClass: longhorn-nvme
+    size: 5Gi
+
+  postgresql:
+    parameters:
+      max_connections: "100"
+      shared_buffers: 128MB
+      effective_cache_size: 256MB
+      work_mem: 4MB
+
+  bootstrap:
+    initdb:
+      database: gitea
+      owner: gitea
+      secret:
+        name: gitea-pg-credentials
+
+  backup:
+    barmanObjectStore:
+      destinationPath: s3://gitea-pg-backups/
+      endpointURL: http://minio.platform.svc:9000
+      s3Credentials:
+        accessKeyId:
+          name: pg-backup-s3-credentials
+          key: ACCESS_KEY_ID
+        secretAccessKey:
+          name: pg-backup-s3-credentials
+          key: SECRET_ACCESS_KEY
+    retentionPolicy: "30d"
+
+  monitoring:
+    enablePodMonitor: true

infra/kubernetes/platform/gitea-pg/gitea-pg-credentials-sealed.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: gitea-pg-credentials
+  namespace: platform
+spec:
+  encryptedData:
+    password: AgCOM3lECbwltUOFNj4QZtwaPR+jBO+1L16Si8YETh5B5cC5eArOPpHGMQ7yK7ov9X+S/iIhPiolyHrQb7Tw3kSX/NHj933YHx1bITf1i5wF1LKRDbsw4XXox6bsG+GITMhUxtlVYdfY0OdoStHSpjGDHChHDHL74BjgdMS/jBSQGyicOXH6RYYH3/N7QeiwDmTAFrkhNp0DPQXG/xJ7Qi+lp9PR7ddwFZ5B1R2bVRB3KhwtMbPs4Qlo22tJh+khGgBv2yuWXB13Eu1QWOTTL58qRbwjPMB+jNMdyvGq/bWzulkIyjn17ijGn4R1XMJNyhsLSphnrqceDHyT5RroryO6cxMkFn06ZJ9xSk9GqTm4b8Rf7Hq5vvzVpeZ2MBxBO4teOyuWPED0SL4eAp36DOmczSHM1U7Uyq4sYgHJjYwnFjviaw0kmS/nhL2ZBpsuXpSd2qh2fJlZzp+pW6i54Ckvggt7ukMqT8XaENTYHLVD1uqCBwTiOJpB8VqpKXpnOLvGj44NAkub3t5ScNFzQtVcR+25zT3YaIr8g1SRoxmlPWqLcDsqnqCowYU95Vah3VWWytEToax5J3iNWRFByjNucRWHFssNsnKEXGZOuyG0tIQ1U2a/uPx7yiz1sCaxnSkai6es3GTX7Azi7OOWio5jGYJpF9iNRsHlRH8FadhjkGiIj7EUl858AfX8EPzXaMvyEMcgpOzxsanItwmMBhsVO38t1AN2Q/xbkNJBOX8=
+    username: AgB551yjCY/y0tZFq7gj4iCBmyvHZqEu9kwwqWrLMUUqMfQ3p+3hpprEJROt+Egixz7LTX5iv/YcJLLMsAJJSws70+Cm0l3buRPeVLuL5aQ1xCLOAHLrimg432eVnQ+FuEXxZhOWXfimZFNSW5IsyLabtt4SsSoA99WD4srZmfXcQCbIS1lO9fPNtLyvOp2o1BtYAstW5NOHE+/bEDAQoyAAn3ZQ5k59xjlBrLSlC6xt/QoivEiA20YBYnwaaLDpxEI1hpsFf9Jp9NC0nJfuFnBKnIuxhcU5tWyfxGmnpWtVQ1t5TgsktuxjBE65fXIqEYQOu2J2OPbjMjVyS1maNTj6s9OZgFi1gsNG8oRxoaVgs5lyDOzkJTtbGmSua09UEY7Lux4PWxQsc2P11sPA9zCJgPF7kN+sGXrx2WrQ01qE7z7p67rvLGAgXH4js0hUXaa57Ip+2tk0qQUUySENv0ufPCG9zOe3zkMh9c844HoJoZ1y+s3QoD7veLMS5UlLrNF9U888yGQtpwaxTb9EBGwvfiXwRO4C0r6ylm/nqroQrS073NKee4+CP/B1N6sMVp6/476eAmpgEn2Gb/TP601PxIXS76HKCn9yJ8+Y9JWCQ4rhLOR6q8SbNMmCch6W9wSoKVL8PYP5n2453Ie3Npd4YlBzu5P24yhWzmqdoUwKuNIPGsemFNoU4pYHJtn0h7E1/ovS8Q==
+  template:
+    metadata:
+      name: gitea-pg-credentials
+      namespace: platform

infra/kubernetes/platform/gitea-pg/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - cluster.yaml
+  - gitea-pg-credentials-sealed.yaml

infra/kubernetes/platform/gitea-runner/deployment.yaml

@@ -0,0 +1,75 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gitea-runner
+  namespace: platform
+  labels:
+    app: gitea-runner
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: gitea-runner
+  template:
+    metadata:
+      labels:
+        app: gitea-runner
+    spec:
+      containers:
+        - name: runner
+          image: gitea/act_runner:latest
+          env:
+            - name: GITEA_INSTANCE_URL
+              value: http://gitea-http.platform.svc:3000
+            - name: GITEA_RUNNER_REGISTRATION_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: gitea-runner-token
+                  key: token
+            - name: GITEA_RUNNER_LABELS
+              value: "ubuntu-latest:docker://node:20-bookworm,linux/amd64:docker://node:20-bookworm,cluster:docker://node:20-bookworm"
+            - name: DOCKER_HOST
+              value: tcp://localhost:2376
+            - name: DOCKER_TLS_VERIFY
+              value: "1"
+            - name: DOCKER_CERT_PATH
+              value: /certs/client
+          volumeMounts:
+            - name: docker-certs
+              mountPath: /certs/client
+              readOnly: true
+            - name: runner-data
+              mountPath: /data
+          resources:
+            requests:
+              memory: 256Mi
+              cpu: 200m
+            limits:
+              memory: 1Gi
+
+        - name: dind
+          image: docker:dind
+          securityContext:
+            privileged: true
+          env:
+            - name: DOCKER_TLS_CERTDIR
+              value: /certs
+          volumeMounts:
+            - name: docker-certs
+              mountPath: /certs
+            - name: dind-storage
+              mountPath: /var/lib/docker
+          resources:
+            requests:
+              memory: 512Mi
+              cpu: 500m
+            limits:
+              memory: 4Gi
+
+      volumes:
+        - name: docker-certs
+          emptyDir: {}
+        - name: runner-data
+          emptyDir: {}
+        - name: dind-storage
+          emptyDir: {}

infra/kubernetes/platform/gitea-runner/gitea-runner-token-sealed.yaml

@@ -0,0 +1,15 @@
+# PLACEHOLDER: Generate token from Gitea admin panel, then re-seal with:
+# ./scripts/seal-secret.sh gitea-runner-token platform token=<registration-token>
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: gitea-runner-token
+  namespace: platform
+spec:
+  encryptedData:
+    token: PLACEHOLDER_SEAL_ME
+  template:
+    metadata:
+      name: gitea-runner-token
+      namespace: platform

infra/kubernetes/platform/gitea-runner/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - deployment.yaml
+  - gitea-runner-token-sealed.yaml

infra/kubernetes/platform/gitea/application.yaml

@@ -0,0 +1,77 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: gitea-helm
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "1"
+spec:
+  project: default
+  source:
+    repoURL: https://dl.gitea.com/charts/
+    chart: gitea
+    targetRevision: 10.6.0
+    helm:
+      valuesObject:
+        # Disable bundled dependencies — we use external DB and Valkey
+        postgresql:
+          enabled: false
+        postgresql-ha:
+          enabled: false
+        redis-cluster:
+          enabled: false
+        redis:
+          enabled: false
+
+        gitea:
+          admin:
+            existingSecret: gitea-admin-credentials
+          config:
+            database:
+              DB_TYPE: postgres
+              HOST: gitea-pg-rw.platform.svc:5432
+              NAME: gitea
+              USER: gitea
+              PASSWD:
+                _secret: gitea-pg-credentials
+                _key: password
+            cache:
+              ADAPTER: redis
+              HOST: redis://valkey.platform.svc:6379/0
+            session:
+              PROVIDER: redis
+              PROVIDER_CONFIG: redis://valkey.platform.svc:6379/1
+            server:
+              DOMAIN: gitea.coreworlds.io
+              ROOT_URL: https://gitea.coreworlds.io
+              SSH_DOMAIN: gitea.coreworlds.io
+              SSH_PORT: 2222
+              SSH_LISTEN_PORT: 2222
+            actions:
+              ENABLED: true
+              DEFAULT_ACTIONS_URL: github
+            packages:
+              ENABLED: true
+
+        persistence:
+          enabled: true
+          storageClass: longhorn-nvme
+          size: 20Gi
+
+        service:
+          http:
+            type: ClusterIP
+            port: 3000
+          ssh:
+            type: NodePort
+            port: 2222
+            nodePort: 30022
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: platform
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

infra/kubernetes/platform/gitea/gitea-admin-credentials-sealed.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: gitea-admin-credentials
+  namespace: platform
+spec:
+  encryptedData:
+    email: AgCUJ0iYfg51FPWXoSXTzpMk3ReEZudIevqdAPHGtLiK6lMEe0bmhjcjEvB2hokfZvSunRcdUi7a1w7ADsqNe6E2rhbnuHs9pZ6cRsY6ugYPj5BPShK+5rSS2Q4mnG/XjU9/qk73TheV2aaWMWRcZSicsbOddpl+f9OVMoG7lqwfwbO+ooW++2r7avmx2lqx2Cw7fr8rBqojxh3lRMjO2emcvPZj/H+tNiguNFecicKl9c0I8fE1lJZXNOUGpj12dvr0zUuCoZW9lGMGa4gbDH9mntvx+VG2P3dO866gcOwtdN/Ra7JuddG+ipV3plp8woYqY9DDsHY2HHqXEOTPXIvihQilAfPBCMS2tC6Qu/bOISVK7D79iV2aYYiPXKKKIYaa0JuUHA8vI+RAuDdvpwzGqFHJ5WuYS7v4eN2ASOj5COufwKDeq9g83hbL6khT7HzUeEqk6cfZCeWliZCi/Nndgh0a7Y64YpvIcGWO2zuNhf0HRtnoVbvym1TTfORhWEUcR3wX7RuEE1l74MY86g6UuqsQIVtV5YnMqn45X3/HolyjEl77R4IF64MVyqa7+b3NErMrlv0WzFhyBGDQYyGc+7mRTfkapn1RSvOfP+HRntKZTHVQSg8AvE9qSockqhj3Di0AsbYqlhvCfuPqHDEbF72+6r4Nf0vwk4R5iSNS4xL0cFOa5s64QSFmsn140D2F7YKWqsXR7+oKn4H7SvXmzczL
+    password: AgB7JW83nITsjEE9/0IBogh9DoZy/5VRhmmDkhh20O1IMfxLiSCcWa4N06hTWKZNN9+w1ISbwu4MQqOQF2P2v5gJa7m9Ofb82H0mzBWyXqNHWAmZrH/FWVy18Z8ZR7vTr2c0WnD2awXKcVxxwA2NREHLSC8N1MTKaCKkqA1F4ICSmWsaOK6F9drJOej7m7QlgQ5kBMgGgAy5UmZEOLrIFn4w7qMg68o7OSBSrcjSYbLUJwvAY58Alaa+8cfsqpmaDvLEvKM+13d+B2qfduGla9lKL++alN4Jz3g3BJplQw7x2vdui2uNvMMiCEzlAZVfLdnVk0N+vnCUUWpYodTKjagC19yhNl+dPEweYnM3/bUIciwuhr6LinFy5HpOABZSlVkuGmYoSQldDTu+XmLXW5glPl9NcCSL4c8NQ6dWXy3SzBxIEKZoWzRs/uW+yNvLx8Dh4SApRObKiBmRmiPwQT1JqNzjccdjt/RUOxWYfqfAp0eJePmT+3uqjAaYC6eutFV61clFbmmTJq73FBjPL0j5gIG3Q/ujWvot7QTfGk6GUYflz3J5gkU/rTWp6M/rRTQ4DV0GEozz25dvN1mQcT9ic2NmvN7jO0xNb76wAw2SYzzwEyMZpT259dFcyZL7XQuf1nqagdUiqfQwpiMW6ANQhojuM/x8CxdgPFmcAHD/21ypYOXZTipkdLd9cD+tRsjhk6cq1rx/G7TamiRaU0B424V1djbe/xsFCfaMyiNSfg==
+    username: AgB6BwW09UpcuuaSleENE6cSq7scTB0i0TJenoV9Jj0XPWiMY+PV+S5evntouQejSd8ULcHs7A3g1Gmz3VofQiHck/V1+BJQByEbm4W3s5xn1rVnAfSHiApS7EaJwOEvUIPVmah/f7oKttHyOSEs7C0jTVbZViHoJemNo1KR+PE3+N1g4Gvse6/4LsoQ9+OTRZ1HDGKA8XybpZhrcNE/iSC9yqAxw4hblHnSsUSo9zDz7erz6MUwmz/ExBwLqIdOp5FUL6DEjdnOucXFW6Fi0v1iKOjqz1SPqnFFrRvqR6WK9aYS2iOYQVre5WosdQokV843mc6akjyJ4lvqL27h3vpJsHmfETbhVO/UBLyUMXOVnXNHBeJU0sjDz1wkM+Ffsjm8R+nG/99PUpTNzZfSWRPdpCyUWJP2n31TfeUteYubfQOZTtjMZWAZjcR9KB7grku5rNMSTyg9QTOhqsi0gxPTQ5KWeN3JRf5G+rCInRmISw8YMHqnIIUZrTuQSgxzXmN9TPXqjxhyWZcPtR3w7W51xwqPyBp4whdA8W8NTcUOSP1lgUWJroevPGz0bfOxnudq6W8myhtlALF39KNnJZMbn8v9ND6UJkOZ8X1OxiupwmwV8rrd9+8vQ2d601/u35gwJqXkMzZ8SaWTH6nh1iM37fqerrp6KKqQ21QSBPIXjLls9zm99XdDjEYqHcytCUlBnK9ZDg==
+  template:
+    metadata:
+      name: gitea-admin-credentials
+      namespace: platform

infra/kubernetes/platform/gitea/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - application.yaml
+  - gitea-admin-credentials-sealed.yaml

infra/kubernetes/platform/traefik/certificate-internal.yaml

@@ -49,3 +49,16 @@ spec:
     kind: ClusterIssuer
   dnsNames:
     - harness.coreworlds.io
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: gitea-tls
+  namespace: platform
+spec:
+  secretName: gitea-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  dnsNames:
+    - gitea.coreworlds.io

infra/kubernetes/platform/traefik/ingressroute-gitea.yaml

@@ -0,0 +1,19 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gitea
+  namespace: platform
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`gitea.coreworlds.io`)
+      kind: Rule
+      services:
+        - name: gitea-http
+          namespace: platform
+          port: 3000
+  tls:
+    secretName: gitea-tls

infra/kubernetes/platform/traefik/kustomization.yaml

@@ -8,5 +8,6 @@ resources:
   - ingressroute-grafana.yaml
   - ingressroute-longhorn.yaml
   - ingressroute-harness.yaml
+  - ingressroute-gitea.yaml
   - certificate-internal.yaml
   - servicemonitor.yaml