cluster/kube/lib/nginx: add gitea-prod ingress service

We would like gitea to have its ssh server exposed on TCP port 22 on the
same address as its web interface. We would also still like to use all
the automation around ingresses already in place (like cert-manager
integration).

To solve this, we create an additional LoadBalancer service for
nginx-ingress-controller and set up special tcp-services forwarding rule
to pass port 22 traffic to gitea-prod/gitea service, like we already do
in case of gerrit.

Change-Id: I5bfc901ebe858464f8e9c2f3b2216b254ccd6c4d

cluster/kube/lib/nginx.libsonnet

@@ -31,7 +31,8 @@ local policies = import "../../../kube/policies.libsonnet";
             configuration: env.maps.make("nginx-configuration"),
             tcp: env.maps.make("tcp-services") {
                 data: {
-                    "22": "gerrit/gerrit:22"
+                    "22": "gerrit/gerrit:22",
+                    "222": "gitea-prod/gitea:22",
                 }
             },
             udp: env.maps.make("udp-services"),
@@ -153,6 +154,20 @@ local policies = import "../../../kube/policies.libsonnet";
             },
         },
 
+        serviceGitea: kube.Service("ingress-nginx-gitea") {
+            metadata+: env.metadata,
+            target_pod:: env.deployment.spec.template,
+            spec+: {
+                type: "LoadBalancer",
+                loadBalancerIP: "185.236.240.60",
+                ports: [
+                    { name: "ssh", port: 22, targetPort: 222, protocol: "TCP" },
+                    { name: "http", port: 80, targetPort: 80, protocol: "TCP" },
+                    { name: "https", port: 443, targetPort: 443, protocol: "TCP" },
+                ],
+            },
+        },
+
         deployment: kube.Deployment("nginx-ingress-controller") {
             metadata+: env.metadata,
             spec+: {