From abdd4b81c4515b3bd8c429bf300be28728873447 Mon Sep 17 00:00:00 2001
From: Morten Olsen <fbtijfdq@void.black>
Date: Wed, 10 Sep 2025 11:55:54 +0200
Subject: [PATCH] add registry rules

---
 charts/apps/zot/templates/config-map.yaml | 15 ++++++++++++++-
 charts/apps/zot/templates/deployment.yaml | 12 +++++++++---
 charts/apps/zot/templates/secret.yaml     |  9 +++++++++
 3 files changed, 32 insertions(+), 4 deletions(-)
 create mode 100644 charts/apps/zot/templates/secret.yaml

diff --git a/charts/apps/zot/templates/config-map.yaml b/charts/apps/zot/templates/config-map.yaml
index 5c4db90..ad53801 100644
--- a/charts/apps/zot/templates/config-map.yaml
+++ b/charts/apps/zot/templates/config-map.yaml
@@ -36,6 +36,9 @@ data:
         },
         "auth": {
           "failDelay": 5,
+          "htpasswd": {
+            "path": "/etc/zot/htpasswd"
+          },
           "openid": {
             "providers": {
               "oidc": {
@@ -53,12 +56,22 @@ data:
             "actions": ["read", "create", "update", "delete"]
           },
           "repositories": {
+            "public/**": {
+              "anonymousPolicy": ["read"],
+              "defaultPolicy": ["read"],
+              "policies": [
+                {
+                  "users": ["*"],
+                  "actions": ["create", "update", "delete"]
+                }
+              ]
+            },
             "**": {
               "defaultPolicy": ["read"],
               "policies": [
                 {
                   "users": ["*"],
-                  "actions": ["push", "delete"]
+                  "actions": ["create", "update", "delete"]
                 }
               ]
             }
diff --git a/charts/apps/zot/templates/deployment.yaml b/charts/apps/zot/templates/deployment.yaml
index 874ff82..3346d17 100644
--- a/charts/apps/zot/templates/deployment.yaml
+++ b/charts/apps/zot/templates/deployment.yaml
@@ -6,6 +6,8 @@ metadata:
     app: "{{ .Release.Name }}"
 spec:
   replicas: 1
+  strategy:
+    type: Recreate
   selector:
     matchLabels:
       app: "{{ .Release.Name }}"
@@ -14,8 +16,6 @@ spec:
       labels:
         app: "{{ .Release.Name }}"
     spec:
-      strategy:
-        type: Recreate
       initContainers:
         - name: render-config
           image: alpine:3.20
@@ -36,9 +36,14 @@ spec:
                 secretKeyRef:
                   name: "{{ .Release.Name }}-client"
                   key: clientSecret
+            - name: PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-cluster"
+                  key: password
           args:
             - |
-              apk add --no-cache gettext >/dev/null
+              apk add --no-cache gettext apache2-utils >/dev/null
               envsubst < /config-tpl/config.tpl.json > /config-out/config.json
               echo "Rendered /etc/zot/config.json"
               echo "---------------------------------------"
@@ -49,6 +54,7 @@ spec:
               echo "---------------------------------------"
               cat /config-out/secrets.json
               echo "---------------------------------------"
+              htpasswd -nbB cluster "$PASSWORD" > /config-out/htpasswd
           volumeMounts:
             - name: config-tpl
               mountPath: /config-tpl
diff --git a/charts/apps/zot/templates/secret.yaml b/charts/apps/zot/templates/secret.yaml
new file mode 100644
index 0000000..d44c2c3
--- /dev/null
+++ b/charts/apps/zot/templates/secret.yaml
@@ -0,0 +1,9 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: GenerateSecret
+metadata:
+  name: "{{ .Release.Name }}-cluster"
+spec:
+  fields:
+    - name: password
+      encoding: hex
+      length: 64