Fix renovate configuration

.github/workflows/renovate.yml

@@ -0,0 +1,15 @@
+name: Renovate
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 */6 * * *'
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Self-hosted Renovate
+        uses: renovatebot/github-action@v40.2.2
+        with:
+          token: ${{ secrets.RENOVATE_TOKEN }}

.gitignore

@@ -1,3 +1,4 @@
 /secret.*.yaml
 /data/
-*.DS_Store
+/.envrc
+*.DS_Store

charts/apps/zot/templates/config-map.yaml

@@ -36,6 +36,9 @@ data:
         },
         "auth": {
           "failDelay": 5,
+          "htpasswd": {
+            "path": "/etc/zot/htpasswd"
+          },
           "openid": {
             "providers": {
               "oidc": {
@@ -53,12 +56,22 @@ data:
             "actions": ["read", "create", "update", "delete"]
           },
           "repositories": {
+            "public/**": {
+              "anonymousPolicy": ["read"],
+              "defaultPolicy": ["read"],
+              "policies": [
+                {
+                  "users": ["*"],
+                  "actions": ["create", "update", "delete"]
+                }
+              ]
+            },
             "**": {
               "defaultPolicy": ["read"],
               "policies": [
                 {
                   "users": ["*"],
-                  "actions": ["push", "delete"]
+                  "actions": ["create", "update", "delete"]
                 }
               ]
             }

charts/apps/zot/templates/deployment.yaml

@@ -6,6 +6,8 @@ metadata:
     app: "{{ .Release.Name }}"
 spec:
   replicas: 1
+  strategy:
+    type: Recreate
   selector:
     matchLabels:
       app: "{{ .Release.Name }}"
@@ -14,8 +16,6 @@ spec:
       labels:
         app: "{{ .Release.Name }}"
     spec:
-      strategy:
-        type: Recreate
       initContainers:
         - name: render-config
           image: alpine:3.20
@@ -36,9 +36,14 @@ spec:
                 secretKeyRef:
                   name: "{{ .Release.Name }}-client"
                   key: clientSecret
+            - name: PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Release.Name }}-cluster"
+                  key: password
           args:
             - |
-              apk add --no-cache gettext >/dev/null
+              apk add --no-cache gettext apache2-utils >/dev/null
               envsubst < /config-tpl/config.tpl.json > /config-out/config.json
               echo "Rendered /etc/zot/config.json"
               echo "---------------------------------------"
@@ -49,6 +54,7 @@ spec:
               echo "---------------------------------------"
               cat /config-out/secrets.json
               echo "---------------------------------------"
+              htpasswd -nbB cluster "$PASSWORD" > /config-out/htpasswd
           volumeMounts:
             - name: config-tpl
               mountPath: /config-tpl

charts/apps/zot/templates/secret.yaml

@@ -0,0 +1,9 @@
+apiVersion: homelab.mortenolsen.pro/v1
+kind: GenerateSecret
+metadata:
+  name: "{{ .Release.Name }}-cluster"
+spec:
+  fields:
+    - name: password
+      encoding: hex
+      length: 64

renovate.json5

@@ -0,0 +1,26 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:base"
+  ],
+  "packageRules": [
+    {
+      "matchDatasources": ["docker"],
+      "pinDigests": true
+    }
+  ],
+  "helm-values": {
+    "fileMatch": ["^charts/.*/values\\.yaml$"]
+  },
+  "regexManagers": [
+    {
+      "fileMatch": ["^charts/.*/values\\.yaml$"],
+      "matchStrings": [
+        "repository:\s*'(?<depName>.*?)'\n\s*tag:\s*'(?<currentValue>.*?)'",
+        "repository:\s*\"(?<depName>.*?)\"\n\s*tag:\s*\"(?<currentValue>.*?)\"",
+        "repository:\s*(?<depName>.*?)\n\s*tag:\s*(?<currentValue>.*)"
+      ],
+      "datasourceTemplate": "docker"
+    }
+  ]
+}