From 3742d603acb771efbf63c9e2b0a2d7a50d53772e Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Wed, 13 Aug 2025 15:58:51 -0500
Subject: [PATCH] add zot

---
 htpasswd                                      |  2 +
 .../flux-system/kustomization-zot.yaml        | 16 ++++++
 infrastructure/flux-system/kustomization.yaml |  1 +
 services/gitea/namespace.yaml                 |  2 +-
 services/zot/config.json                      | 24 ++++++++
 services/zot/deployment.yaml                  | 57 +++++++++++++++++++
 services/zot/ingress.yaml                     | 24 ++++++++
 services/zot/kustomization.yaml               | 17 ++++++
 services/zot/namespace.yaml                   |  5 ++
 services/zot/pvc.yaml                         | 12 ++++
 services/zot/service.yaml                     | 14 +++++
 11 files changed, 173 insertions(+), 1 deletion(-)
 create mode 100644 htpasswd
 create mode 100644 infrastructure/flux-system/kustomization-zot.yaml
 create mode 100644 services/zot/config.json
 create mode 100644 services/zot/deployment.yaml
 create mode 100644 services/zot/ingress.yaml
 create mode 100644 services/zot/kustomization.yaml
 create mode 100644 services/zot/namespace.yaml
 create mode 100644 services/zot/pvc.yaml
 create mode 100644 services/zot/service.yaml

diff --git a/htpasswd b/htpasswd
new file mode 100644
index 0000000..6ea6e5a
--- /dev/null
+++ b/htpasswd
@@ -0,0 +1,2 @@
+bstein:$2y$05$eBWujs/sCl2sj2nm.bN2CeBll9erbu4Z/XCLBd572yPADtgiuWh5.
+
diff --git a/infrastructure/flux-system/kustomization-zot.yaml b/infrastructure/flux-system/kustomization-zot.yaml
new file mode 100644
index 0000000..e79d4bc
--- /dev/null
+++ b/infrastructure/flux-system/kustomization-zot.yaml
@@ -0,0 +1,16 @@
+# infrastructure/flux-system/kustomization-zot.yaml
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: zot
+  namespace: flux-system
+spec:
+  interval: 10m
+  path: ./services/zot
+  targetNamespace: zot
+  prune: false
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  wait: true
diff --git a/infrastructure/flux-system/kustomization.yaml b/infrastructure/flux-system/kustomization.yaml
index e96f660..54fb1a9 100644
--- a/infrastructure/flux-system/kustomization.yaml
+++ b/infrastructure/flux-system/kustomization.yaml
@@ -4,6 +4,7 @@ kind: Kustomization
 resources:
 - gotk-components.yaml
 - gotk-sync.yaml
+- kustomization-zot.yaml
 - kustomization-core.yaml
 - kustomization-gitea.yaml
 - kustomization-crypto.yaml
diff --git a/services/gitea/namespace.yaml b/services/gitea/namespace.yaml
index d884423..09a988f 100644
--- a/services/gitea/namespace.yaml
+++ b/services/gitea/namespace.yaml
@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: gitea
\ No newline at end of file
+  name: gitea
diff --git a/services/zot/config.json b/services/zot/config.json
new file mode 100644
index 0000000..54390b7
--- /dev/null
+++ b/services/zot/config.json
@@ -0,0 +1,24 @@
+{
+  "storage": { "rootDirectory": "/var/lib/registry" },
+  "log": { "level": "info" },
+  "http": {
+    "address": "0.0.0.0",
+    "port": "5000",
+    "auth": {
+      "htpasswd": { "path": "/etc/zot/htpasswd" }
+    },
+    "accessControl": {
+      "repositories": {
+        "**": {
+          "anonymousPolicy": ["read"],
+          "policies": [
+            {
+              "users": ["bstein"],
+              "actions": ["create", "update", "delete"]
+            }
+          ]
+        }
+      }
+    }
+  }
+}
diff --git a/services/zot/deployment.yaml b/services/zot/deployment.yaml
new file mode 100644
index 0000000..a749a5d
--- /dev/null
+++ b/services/zot/deployment.yaml
@@ -0,0 +1,57 @@
+# services/zot/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: zot
+  namespace: zot
+  labels: { app: zot }
+spec:
+  replicas: 1
+  selector:
+    matchLabels: { app: zot }
+  template:
+    metadata:
+      labels: { app: zot }
+    spec:
+      nodeSelector:
+        kubernetes.io/arch: arm64
+      containers:
+        - name: zot
+          image: ghcr.io/project-zot/zot-linux-arm64:v2.1.7
+          args: ["serve", "/etc/zot/config.json"]
+          ports:
+            - name: http
+              containerPort: 5000
+          volumeMounts:
+            - name: zot-data
+              mountPath: /var/lib/registry
+            - name: cfg
+              mountPath: /etc/zot
+          readinessProbe:
+            tcpSocket: { port: 5000 }
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          resources:
+            requests:
+              cpu: "50m"
+              memory: "64Mi"
+            limits:
+              memory: "256Mi"
+      volumes:
+        - name: zot-data
+          persistentVolumeClaim:
+            claimName: zot-data
+        - name: cfg
+          projected:
+            sources:
+              - configMap:
+                  name: zot-config
+                  items:
+                    - key: config.json
+                      path: config.json
+              - secret:
+                  name: zot-htpasswd
+                  items:
+                    - key: htpasswd
+                      path: htpasswd
+
diff --git a/services/zot/ingress.yaml b/services/zot/ingress.yaml
new file mode 100644
index 0000000..aa4cd43
--- /dev/null
+++ b/services/zot/ingress.yaml
@@ -0,0 +1,24 @@
+# services/zot/ingress.yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: zot
+  namespace: zot
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+spec:
+  ingressClassName: traefik
+  tls:
+    - hosts: [ "registry.bstein.dev" ]
+      secretName: registry-bstein-dev-tls
+  rules:
+    - host: registry.bstein.dev
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: zot
+                port:
+                  number: 5000
diff --git a/services/zot/kustomization.yaml b/services/zot/kustomization.yaml
new file mode 100644
index 0000000..302212b
--- /dev/null
+++ b/services/zot/kustomization.yaml
@@ -0,0 +1,17 @@
+# services/zot/kustomization.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - pvc.yaml
+  - deployment.yaml
+  - service.yaml
+  - ingress.yaml
+
+configMapGenerator:
+  - name: zot-config
+    files:
+      - config.json=config.json
+
+generatorOptions:
+  disableNameSuffixHash: true
diff --git a/services/zot/namespace.yaml b/services/zot/namespace.yaml
new file mode 100644
index 0000000..b91de10
--- /dev/null
+++ b/services/zot/namespace.yaml
@@ -0,0 +1,5 @@
+# services/zot/namespace.yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: zot
diff --git a/services/zot/pvc.yaml b/services/zot/pvc.yaml
new file mode 100644
index 0000000..dbafb76
--- /dev/null
+++ b/services/zot/pvc.yaml
@@ -0,0 +1,12 @@
+# services/zot/pvc.yaml
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: zot-data
+  namespace: zot
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 25Gi
diff --git a/services/zot/service.yaml b/services/zot/service.yaml
new file mode 100644
index 0000000..e41c8d4
--- /dev/null
+++ b/services/zot/service.yaml
@@ -0,0 +1,14 @@
+# services/zot/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: zot
+  namespace: zot
+  labels: { app: zot }
+spec:
+  type: ClusterIP
+  selector: { app: zot }
+  ports:
+    - name: http
+      port: 5000
+      targetPort: 5000