add registry rules

2026-02-08 01:36:28 +01:00 · 2025-09-10 11:55:54 +02:00
parent 4691ab1139
commit abdd4b81c4
3 changed files with 32 additions and 4 deletions
--- a/charts/apps/zot/templates/config-map.yaml
+++ b/charts/apps/zot/templates/config-map.yaml
@@ -36,6 +36,9 @@ data:
        },
        "auth": {
          "failDelay": 5,
+          "htpasswd": {
+            "path": "/etc/zot/htpasswd"
+          },
          "openid": {
            "providers": {
              "oidc": {
@@ -53,12 +56,22 @@ data:
            "actions": ["read", "create", "update", "delete"]
          },
          "repositories": {
+            "public/**": {
+              "anonymousPolicy": ["read"],
+              "defaultPolicy": ["read"],
+              "policies": [
+                {
+                  "users": ["*"],
+                  "actions": ["create", "update", "delete"]
+                }
+              ]
+            },
            "**": {
              "defaultPolicy": ["read"],
              "policies": [
                {
                  "users": ["*"],
-                  "actions": ["push", "delete"]
+                  "actions": ["create", "update", "delete"]
                }
              ]
            }
--- a/charts/apps/zot/templates/deployment.yaml
+++ b/charts/apps/zot/templates/deployment.yaml
@@ -6,6 +6,8 @@ metadata:
    app: "{{ .Release.Name }}"
 spec:
  replicas: 1
+  strategy:
+    type: Recreate
  selector:
    matchLabels:
      app: "{{ .Release.Name }}"
@@ -14,8 +16,6 @@ spec:
      labels:
        app: "{{ .Release.Name }}"
    spec:
-      strategy:
-        type: Recreate
      initContainers:
        - name: render-config
          image: alpine:3.20
@@ -36,9 +36,14 @@ spec:
                secretKeyRef:
                  name: "{{ .Release.Name }}-client"
                  key: clientSecret
+            - name: PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-cluster"
+                  key: password
          args:
            - |
-              apk add --no-cache gettext >/dev/null
+              apk add --no-cache gettext apache2-utils >/dev/null
              envsubst < /config-tpl/config.tpl.json > /config-out/config.json
              echo "Rendered /etc/zot/config.json"
              echo "---------------------------------------"
@@ -49,6 +54,7 @@ spec:
              echo "---------------------------------------"
              cat /config-out/secrets.json
              echo "---------------------------------------"
+              htpasswd -nbB cluster "$PASSWORD" > /config-out/htpasswd
          volumeMounts:
            - name: config-tpl
              mountPath: /config-tpl
--- a/charts/apps/zot/templates/secret.yaml
+++ b/charts/apps/zot/templates/secret.yaml
@@ -0,0 +1,9 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: GenerateSecret
+metadata:
+  name: "{{ .Release.Name }}-cluster"
+spec:
+  fields:
+    - name: password
+      encoding: hex
+      length: 64