platform: keep GX10 shared VIP traffic policy aligned

gx10/platform/README.md

@@ -9,6 +9,7 @@ ApplicationSet (`apps-gx10/*`) will own these.
 
 - `step-ca-acme.yaml` — cert-manager ClusterIssuer (ACME → noc1 step-ca, in-spec caBundle). APPLIED + Ready.
 - `traefik-helmchart.yaml` — Traefik v3.6.10 (chart 39.0.5) via the RKE2 HelmChart CRD, LoadBalancer VIP 10.0.57.202 (prod-pool; temp parallel-run VIP — canonical .200 reclaimed at cutover), with `externalTrafficPolicy: Local` so tenant IP allowlists see client source IP instead of the GX10 node hop. APPLIED.
+- `gitea-ssh-service.yaml` — Gitea SSH LoadBalancer service sharing the Traefik VIP on port 22 with matching `externalTrafficPolicy: Local`; MetalLB requires the shared-IP services to use the same traffic policy. APPLIED.
 
 cert-manager v1.17.2 was installed separately (upstream static manifest). See
 `docs/ai-agents/gx10-migration-continuation-2026-06-14.md` + memory

gx10/platform/gitea-ssh-service.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitea-ssh
+  namespace: gitea
+  annotations:
+    metallb.io/allow-shared-ip: gitea-traefik-202
+    metallb.universe.tf/loadBalancerIPs: 10.0.57.202
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  selector:
+    app: gitea
+  ports:
+    - name: ssh
+      port: 22
+      protocol: TCP
+      targetPort: 2222

gx10/platform/traefik-helmchart.yaml

@@ -15,6 +15,7 @@ spec:
       spec:
         externalTrafficPolicy: Local
       annotations:
+        metallb.io/allow-shared-ip: gitea-traefik-202
         metallb.universe.tf/address-pool: prod-pool
         metallb.universe.tf/loadBalancerIPs: 10.0.57.202
     ingressClass: