titan-iac/services/zot/deployment.yaml

# services/zot/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: zot
  namespace: zot
  labels: { app: zot }
spec:
  replicas: 1
  selector:
    matchLabels: { app: zot }
  template:
    metadata:
      labels: { app: zot }
    spec:
      nodeSelector:
        node-role.kubernetes.io/worker: "true"
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: hardware
                operator: In
                values: ["rpi4","rpi5"]
          preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 50
              preference:
                matchExpressions:
                - key: hardware
                  operator: In
                  values: ["rpi4"]
      containers:
        - name: zot
          image: ghcr.io/project-zot/zot-linux-arm64:v2.1.8
          imagePullPolicy: IfNotPresent
          args: ["serve", "/etc/zot/config.json"]
          ports:
            - { name: http, containerPort: 5000 }
          volumeMounts:
            - name: cfg-rendered
              mountPath: /etc/zot/config.json
              subPath: config.json
              readOnly: true
            - name: zot-data
              mountPath: /var/lib/registry
          readinessProbe:
            tcpSocket:
              port: 5000
            initialDelaySeconds: 2
            periodSeconds: 5
          livenessProbe:
            tcpSocket:
              port: 5000
            initialDelaySeconds: 5
            periodSeconds: 10
          resources:
            requests: { cpu: "50m", memory: "64Mi" }
      initContainers:
        - name: render-config
          image: busybox:1.36
          command:
            - /bin/sh
            - -c
            - |
              set -eu
              if [ -z "${ZOT_CLIENT_SECRET:-}" ]; then
                echo "ZOT_CLIENT_SECRET is empty; ensure zot-oidc-client secret exists" >&2
                exit 1
              fi
              sed "s|__CLIENT_SECRET__|${ZOT_CLIENT_SECRET}|g" /config-src/config.json > /config/config.json
          env:
            - name: ZOT_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: oauth2-proxy-zot-oidc
                  key: client_secret
          volumeMounts:
            - name: cfg-src
              mountPath: /config-src
            - name: cfg-rendered
              mountPath: /config
      volumes:
        - name: cfg-src
          configMap:
            name: zot-config
        - name: cfg-rendered
          emptyDir: {}
        - name: zot-data
          persistentVolumeClaim:
            claimName: zot-data
add zot 2025-08-13 15:58:51 -05:00			`# services/zot/deployment.yaml`
			`apiVersion: apps/v1`
			`kind: Deployment`
			`metadata:`
			`name: zot`
			`namespace: zot`
			`labels: { app: zot }`
			`spec:`
			`replicas: 1`
			`selector:`
			`matchLabels: { app: zot }`
			`template:`
			`metadata:`
			`labels: { app: zot }`
			`spec:`
			`nodeSelector:`
adding sui wallet script 2025-08-14 20:37:30 -05:00			`node-role.kubernetes.io/worker: "true"`
pin stable jellyfin 2025-09-02 10:43:44 -05:00			`affinity:`
			`nodeAffinity:`
			`requiredDuringSchedulingIgnoredDuringExecution:`
			`nodeSelectorTerms:`
			`- matchExpressions:`
			`- key: hardware`
			`operator: In`
			`values: ["rpi4","rpi5"]`
			`preferredDuringSchedulingIgnoredDuringExecution:`
			`- weight: 50`
			`preference:`
			`matchExpressions:`
			`- key: hardware`
			`operator: In`
			`values: ["rpi4"]`
add zot 2025-08-13 15:58:51 -05:00			`containers:`
			`- name: zot`
zot version pin 2025-09-08 22:52:41 -05:00			`image: ghcr.io/project-zot/zot-linux-arm64:v2.1.8`
			`imagePullPolicy: IfNotPresent`
add zot 2025-08-13 15:58:51 -05:00			`args: ["serve", "/etc/zot/config.json"]`
			`ports:`
zot fixes 2025-08-13 17:21:23 -05:00			`- { name: http, containerPort: 5000 }`
add zot 2025-08-13 15:58:51 -05:00			`volumeMounts:`
sso: fix vault OIDC bootstrap and render zot oidc config 2025-12-08 23:23:21 -03:00			`- name: cfg-rendered`
zot fixes 2025-08-13 17:21:23 -05:00			`mountPath: /etc/zot/config.json`
			`subPath: config.json`
			`readOnly: true`
add zot 2025-08-13 15:58:51 -05:00			`- name: zot-data`
			`mountPath: /var/lib/registry`
			`readinessProbe:`
zot fix 2025-09-15 02:15:27 -05:00			`tcpSocket:`
			`port: 5000`
			`initialDelaySeconds: 2`
			`periodSeconds: 5`
			`livenessProbe:`
			`tcpSocket:`
			`port: 5000`
add zot 2025-08-13 15:58:51 -05:00			`initialDelaySeconds: 5`
			`periodSeconds: 10`
			`resources:`
zot ui 2025-08-13 19:57:26 -05:00			`requests: { cpu: "50m", memory: "64Mi" }`
sso: fix vault OIDC bootstrap and render zot oidc config 2025-12-08 23:23:21 -03:00			`initContainers:`
			`- name: render-config`
			`image: busybox:1.36`
			`command:`
			`- /bin/sh`
			`- -c`
			`- \|`
			`set -eu`
			`if [ -z "${ZOT_CLIENT_SECRET:-}" ]; then`
			`echo "ZOT_CLIENT_SECRET is empty; ensure zot-oidc-client secret exists" >&2`
			`exit 1`
			`fi`
			`sed "s\|__CLIENT_SECRET__\|${ZOT_CLIENT_SECRET}\|g" /config-src/config.json > /config/config.json`
			`env:`
			`- name: ZOT_CLIENT_SECRET`
			`valueFrom:`
			`secretKeyRef:`
zot: align oidc client to oauth2-proxy; add vault redirect 2025-12-09 20:49:25 -03:00			`name: oauth2-proxy-zot-oidc`
sso: fix vault OIDC bootstrap and render zot oidc config 2025-12-08 23:23:21 -03:00			`key: client_secret`
			`volumeMounts:`
			`- name: cfg-src`
			`mountPath: /config-src`
			`- name: cfg-rendered`
			`mountPath: /config`
add zot 2025-08-13 15:58:51 -05:00			`volumes:`
sso: fix vault OIDC bootstrap and render zot oidc config 2025-12-08 23:23:21 -03:00			`- name: cfg-src`
zot fixes 2025-08-13 17:21:23 -05:00			`configMap:`
			`name: zot-config`
sso: fix vault OIDC bootstrap and render zot oidc config 2025-12-08 23:23:21 -03:00			`- name: cfg-rendered`
			`emptyDir: {}`
add zot 2025-08-13 15:58:51 -05:00			`- name: zot-data`
			`persistentVolumeClaim:`
			`claimName: zot-data`