diff --git a/charts/apps/zot/Chart.yaml b/charts/apps/zot/Chart.yaml new file mode 100644 index 0000000..125024a --- /dev/null +++ b/charts/apps/zot/Chart.yaml @@ -0,0 +1,3 @@ +apiVersion: v2 +version: 1.0.0 +name: zot diff --git a/charts/apps/zot/templates/client.yaml b/charts/apps/zot/templates/client.yaml new file mode 100644 index 0000000..d579b13 --- /dev/null +++ b/charts/apps/zot/templates/client.yaml @@ -0,0 +1,10 @@ +apiVersion: homelab.mortenolsen.pro/v1 +kind: OidcClient +metadata: + name: "{{ .Release.Name }}" +spec: + environment: "{{ .Values.globals.environment }}" + redirectUris: + - path: /zot/auth/callback/oidc + subdomain: "{{ .Values.subdomain }}" + matchingMode: strict diff --git a/charts/apps/zot/templates/config-map.yaml b/charts/apps/zot/templates/config-map.yaml new file mode 100644 index 0000000..5c4db90 --- /dev/null +++ b/charts/apps/zot/templates/config-map.yaml @@ -0,0 +1,83 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-config-template +data: + secrets.tpl.json: | + { + "clientid": "${CLIENT_ID}", + "clientsecret": "${CLIENT_SECRET}" + } + config.tpl.json: | + { + "storage": { + "rootDirectory": "/var/lib/registry", + "commit": false, + "dedupe": true, + "gc": true, + "gcDelay": "1h", + "gcInterval": "24h" + }, + "log": { + "level": "info" + }, + "http": { + "address": "0.0.0.0", + "port": "5000", + "externalUrl": "https://{{ .Values.subdomain }}.{{ .Values.globals.domain }}", + "ratelimit": { + "rate": 10, + "methods": [ + { + "method": "GET", + "rate": 20 + } + ] + }, + "auth": { + "failDelay": 5, + "openid": { + "providers": { + "oidc": { + "name": "main", + "credentialsFile": "/etc/zot/secrets.json", + "issuer": "${ISSUER}", + "scopes": ["openid", "profile", "email"] + } + } + } + }, + "accessControl": { + "adminPolicy": { + "groups": ["admin"], + "actions": ["read", "create", "update", "delete"] + }, + "repositories": { + "**": { + "defaultPolicy": ["read"], + "policies": [ + { + "users": ["*"], + "actions": ["push", "delete"] + } + ] + } + } + } + }, + "extensions": { + "ui": { "enable": true }, + "metrics": { "enable": true }, + "search": { "enable": true }, + "scrub": { + "enable": true, + "interval": "24h" + }, + "trust": { + "enable": true, + "cosign": true, + "notation": true + } + + } + } \ No newline at end of file diff --git a/charts/apps/zot/templates/deployment.yaml b/charts/apps/zot/templates/deployment.yaml new file mode 100644 index 0000000..874ff82 --- /dev/null +++ b/charts/apps/zot/templates/deployment.yaml @@ -0,0 +1,98 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: "{{ .Release.Name }}" + labels: + app: "{{ .Release.Name }}" +spec: + replicas: 1 + selector: + matchLabels: + app: "{{ .Release.Name }}" + template: + metadata: + labels: + app: "{{ .Release.Name }}" + spec: + strategy: + type: Recreate + initContainers: + - name: render-config + image: alpine:3.20 + command: ["/bin/sh", "-c"] + env: + - name: ISSUER + valueFrom: + secretKeyRef: + name: "{{ .Release.Name }}-client" + key: configurationIssuer + - name: CLIENT_ID + valueFrom: + secretKeyRef: + name: "{{ .Release.Name }}-client" + key: clientId + - name: CLIENT_SECRET + valueFrom: + secretKeyRef: + name: "{{ .Release.Name }}-client" + key: clientSecret + args: + - | + apk add --no-cache gettext >/dev/null + envsubst < /config-tpl/config.tpl.json > /config-out/config.json + echo "Rendered /etc/zot/config.json" + echo "---------------------------------------" + cat /config-out/config.json + echo "---------------------------------------" + envsubst < /config-tpl/secrets.tpl.json > /config-out/secrets.json + echo "Rendered /etc/zot/secrets.json" + echo "---------------------------------------" + cat /config-out/secrets.json + echo "---------------------------------------" + volumeMounts: + - name: config-tpl + mountPath: /config-tpl + - name: config + mountPath: /config-out + containers: + - name: "{{ .Release.Name }}" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + ports: + - containerPort: 5000 + name: http + env: + - name: TZ + value: "{{ .Values.globals.timezone }}" + - name: BASE_URL + value: https://{{ .Values.subdomain }}.{{ .Values.globals.domain }} + volumeMounts: + - mountPath: /var/lib/registry + name: data + - mountPath: /etc/zot + name: config + # readinessProbe: + # httpGet: + # path: /v2/ + # port: http + # initialDelaySeconds: 3 + # periodSeconds: 10 + # livenessProbe: + # httpGet: + # path: /v2/ + # port: http + # initialDelaySeconds: 10 + # periodSeconds: 20 + volumes: + - name: data + persistentVolumeClaim: + claimName: "{{ .Release.Name }}-data" + - name: config-tpl + configMap: + name: {{ .Release.Name }}-config-template + items: + - key: config.tpl.json + path: config.tpl.json + - key: secrets.tpl.json + path: secrets.tpl.json + - name: config + emptyDir: {} diff --git a/charts/apps/zot/templates/external-http-service.yaml b/charts/apps/zot/templates/external-http-service.yaml new file mode 100644 index 0000000..e28916d --- /dev/null +++ b/charts/apps/zot/templates/external-http-service.yaml @@ -0,0 +1,11 @@ +apiVersion: homelab.mortenolsen.pro/v1 +kind: ExternalHttpService +metadata: + name: '{{ .Release.Name }}' +spec: + environment: '{{ .Values.globals.environment }}' + subdomain: '{{ .Values.subdomain }}' + destination: + host: '{{ .Release.Name }}.{{ .Release.Namespace }}.svc.cluster.local' + port: + number: 80 diff --git a/charts/apps/zot/templates/http-service.yaml b/charts/apps/zot/templates/http-service.yaml new file mode 100644 index 0000000..15b1989 --- /dev/null +++ b/charts/apps/zot/templates/http-service.yaml @@ -0,0 +1,11 @@ +apiVersion: homelab.mortenolsen.pro/v1 +kind: HttpService +metadata: + name: "{{ .Release.Name }}" +spec: + environment: "{{ .Values.globals.environment }}" + subdomain: "{{ .Values.subdomain }}" + destination: + host: "{{ .Release.Name }}" + port: + number: 80 diff --git a/charts/apps/zot/templates/pvc.yaml b/charts/apps/zot/templates/pvc.yaml new file mode 100644 index 0000000..bc1d0a6 --- /dev/null +++ b/charts/apps/zot/templates/pvc.yaml @@ -0,0 +1,11 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: '{{ .Release.Name }}-data' +spec: + accessModes: + - 'ReadWriteOnce' + resources: + requests: + storage: '1Gi' + storageClassName: '{{ .Values.globals.environment }}' diff --git a/charts/apps/zot/templates/service.yaml b/charts/apps/zot/templates/service.yaml new file mode 100644 index 0000000..a634293 --- /dev/null +++ b/charts/apps/zot/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: "{{ .Release.Name }}" + labels: + app: "{{ .Release.Name }}" +spec: + type: ClusterIP + ports: + - port: 80 + targetPort: 5000 + protocol: TCP + name: http + selector: + app: "{{ .Release.Name }}" diff --git a/charts/apps/zot/values.yaml b/charts/apps/zot/values.yaml new file mode 100644 index 0000000..bd2ff9d --- /dev/null +++ b/charts/apps/zot/values.yaml @@ -0,0 +1,8 @@ +globals: + environment: prod + domain: olsen.cloud + timezone: Europe/Amsterdam +subdomain: zot +image: + repository: ghcr.io/project-zot/zot + tag: latest \ No newline at end of file