attempt add adding renovate

charts/apps/zot/templates/config-map.yaml

@@ -36,6 +36,9 @@ data:
         },
         "auth": {
           "failDelay": 5,
+          "htpasswd": {
+            "path": "/etc/zot/htpasswd"
+          },
           "openid": {
             "providers": {
               "oidc": {
@@ -53,12 +56,22 @@ data:
             "actions": ["read", "create", "update", "delete"]
           },
           "repositories": {
+            "public/**": {
+              "anonymousPolicy": ["read"],
+              "defaultPolicy": ["read"],
+              "policies": [
+                {
+                  "users": ["*"],
+                  "actions": ["create", "update", "delete"]
+                }
+              ]
+            },
             "**": {
               "defaultPolicy": ["read"],
               "policies": [
                 {
                   "users": ["*"],
-                  "actions": ["push", "delete"]
+                  "actions": ["create", "update", "delete"]
                 }
               ]
             }

charts/apps/zot/templates/deployment.yaml

@@ -6,6 +6,8 @@ metadata:
     app: "{{ .Release.Name }}"
 spec:
   replicas: 1
+  strategy:
+    type: Recreate
   selector:
     matchLabels:
       app: "{{ .Release.Name }}"
@@ -14,8 +16,6 @@ spec:
       labels:
         app: "{{ .Release.Name }}"
     spec:
-      strategy:
-        type: Recreate
       initContainers:
         - name: render-config
           image: alpine:3.20
@@ -36,9 +36,14 @@ spec:
                 secretKeyRef:
                   name: "{{ .Release.Name }}-client"
                   key: clientSecret
+            - name: PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-cluster"
+                  key: password
           args:
             - |
-              apk add --no-cache gettext >/dev/null
+              apk add --no-cache gettext apache2-utils >/dev/null
               envsubst < /config-tpl/config.tpl.json > /config-out/config.json
               echo "Rendered /etc/zot/config.json"
               echo "---------------------------------------"
@@ -49,6 +54,7 @@ spec:
               echo "---------------------------------------"
               cat /config-out/secrets.json
               echo "---------------------------------------"
+              htpasswd -nbB cluster "$PASSWORD" > /config-out/htpasswd
           volumeMounts:
             - name: config-tpl
               mountPath: /config-tpl

charts/apps/zot/templates/secret.yaml

@@ -0,0 +1,9 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: GenerateSecret
+metadata:
+  name: "{{ .Release.Name }}-cluster"
+spec:
+  fields:
+    - name: password
+      encoding: hex
+      length: 64

renovate.json5

@@ -0,0 +1,50 @@
+// .github/renovate.json5 (or renovate.json)
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "autodiscover": false,
+  "packageRules": [
+    {
+      "matchDatasources": ["docker"],
+      "extractVersion": "^(?<version>.*)$",
+      "versioning": "semver",
+      "groupName": "All Docker Images",
+      "pinDigests": true,
+    },
+  ],
+  "helm": {
+    "fileMatch": ["charts/**/values.yaml"],
+    // You generally don't need to list public registries here.
+    // Only add specific entries for *private* registries that require explicit authentication.
+    // Renovate is smart enough to infer common public ones.
+    "registryUrls": {
+      // "my.private.registry.com": "https://my.private.registry.com/v2/" // Example for a private registry
+      }
+  },
+  "regexManagers": [
+    {
+      "fileMatch": ["(^|/)charts/.*values\\.yaml$"],
+      "matchStrings": [
+        // Primary image:
+        // This regex tries to capture the full image name, including the registry if specified.
+        // It's designed to be flexible.
+        "repository:\\s*(?<depName>.*?)\\n\\s*tag:\\s*(?<currentValue>.*?)\\n",
+
+        // Nested images (e.g., piper.image, whisper.image):
+        // This regex accounts for a preceding key and potential 'image:' sub-key.
+        "^(?!\\s*#)[^\\s]*?:(?:\\n\\s*image:)?\\n\\s*repository:\\s*(?<depName>.*?)\\n\\s*tag:\\s*(?<currentValue>.*?)\\n"
+      ],
+      "datasourceTemplate": "docker",
+      // Important: Add a "depNameTemplate" to ensure capture group 1 (depName) is used
+      // which should contain the full path including registry
+      "depNameTemplate": "{{depName}}"
+    }
+  ],
+  // ... rest of your configuration
+  "ignorePaths": ["**/node_modules/**", "**/vendor/**"],
+  "timezone": "Europe/Oslo",
+  "schedule": ["at any time"],
+  "commitMessageTopic": "{{depName}} Docker image",
+  "prConcurrentLimit": 5,
+  "dependencyDashboard": true,
+  "dependencyDashboardAutoclose": true
+}