platform: dedicate GX10 Gitea SSH VIP

gx10/platform/README.md

@@ -9,7 +9,7 @@ ApplicationSet (`apps-gx10/*`) will own these.
 
 - `step-ca-acme.yaml` — cert-manager ClusterIssuer (ACME → noc1 step-ca, in-spec caBundle). APPLIED + Ready.
 - `traefik-helmchart.yaml` — Traefik v3.6.10 (chart 39.0.5) via the RKE2 HelmChart CRD, LoadBalancer VIP 10.0.57.202 (prod-pool; temp parallel-run VIP — canonical .200 reclaimed at cutover), with `externalTrafficPolicy: Local` so tenant IP allowlists see client source IP instead of the GX10 node hop. APPLIED.
-- `gitea-ssh-service.yaml` — Gitea SSH LoadBalancer service sharing the Traefik VIP on port 22 with matching `externalTrafficPolicy: Local`; MetalLB requires the shared-IP services to use the same traffic policy. APPLIED.
+- `gitea-ssh-service.yaml` — Gitea SSH LoadBalancer service on `10.0.57.206:22` with `externalTrafficPolicy: Local`; HTTPS Gitea remains behind the Traefik VIP at `10.0.57.202`. APPLIED.
 
 cert-manager v1.17.2 was installed separately (upstream static manifest). See
 `docs/ai-agents/gx10-migration-continuation-2026-06-14.md` + memory

gx10/platform/gitea-ssh-service.yaml

@@ -4,8 +4,7 @@ metadata:
   name: gitea-ssh
   namespace: gitea
   annotations:
-    metallb.io/allow-shared-ip: gitea-traefik-202
+    metallb.universe.tf/loadBalancerIPs: 10.0.57.206
-    metallb.universe.tf/loadBalancerIPs: 10.0.57.202
 spec:
   type: LoadBalancer
   externalTrafficPolicy: Local

gx10/platform/traefik-helmchart.yaml

@@ -15,7 +15,6 @@ spec:
       spec:
         externalTrafficPolicy: Local
       annotations:
-        metallb.io/allow-shared-ip: gitea-traefik-202
         metallb.universe.tf/address-pool: prod-pool
         metallb.universe.tf/loadBalancerIPs: 10.0.57.202
     ingressClass:

tests/bluejay-infra-lint/FleetManifestLintTests.cs

@@ -250,20 +250,18 @@ public sealed class FleetManifestLintTests
     }
 
     [Fact]
-    public void Gx10SharedVipLoadBalancers_MustPreserveClientSourceIp()
+    public void Gx10PublicLoadBalancers_MustPreserveClientSourceIp()
     {
         var traefikPath = Path.Combine(Inventory.BluejayRoot, "gx10", "platform", "traefik-helmchart.yaml");
         var traefik = File.ReadAllText(traefikPath);
 
-        traefik.Should().Contain("metallb.io/allow-shared-ip: gitea-traefik-202");
         traefik.Should().Contain("metallb.universe.tf/loadBalancerIPs: 10.0.57.202");
         traefik.Should().Contain("spec:\n        externalTrafficPolicy: Local");
 
         var giteaPath = Path.Combine(Inventory.BluejayRoot, "gx10", "platform", "gitea-ssh-service.yaml");
         var gitea = File.ReadAllText(giteaPath);
 
-        gitea.Should().Contain("metallb.io/allow-shared-ip: gitea-traefik-202");
+        gitea.Should().Contain("metallb.universe.tf/loadBalancerIPs: 10.0.57.206");
-        gitea.Should().Contain("metallb.universe.tf/loadBalancerIPs: 10.0.57.202");
         gitea.Should().Contain("externalTrafficPolicy: Local");
     }