From 8459ea70588787274806d08361a3f0c5e532daa9 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Tue, 9 Sep 2025 11:27:42 -0500
Subject: [PATCH] zot middleware add

---
 services/zot/configmap.yaml  |  9 +--------
 services/zot/ingress.yaml    |  1 +
 services/zot/middleware.yaml | 30 ++++++++++++++++++++++++++++++
 3 files changed, 32 insertions(+), 8 deletions(-)

diff --git a/services/zot/configmap.yaml b/services/zot/configmap.yaml
index 47a66e4..3bc6c31 100644
--- a/services/zot/configmap.yaml
+++ b/services/zot/configmap.yaml
@@ -23,19 +23,12 @@ data:
         },
         "accessControl": {
           "repositories": {
-            "pegasus/**": {
+            "**": {
               "policies": [
                 { "users": ["bstein"], "actions": ["read", "create", "update", "delete"] }
               ],
               "defaultPolicy": [],
               "anonymousPolicy": []
-            },
-            "**": {
-              "policies": [
-                { "users": ["bstein"], "actions": ["read", "create", "update", "delete"] }
-              ],
-              "defaultPolicy": ["read"],
-              "anonymousPolicy": ["read"]
             }
           },
           "adminPolicy": {
diff --git a/services/zot/ingress.yaml b/services/zot/ingress.yaml
index 1dda5d0..6c946fb 100644
--- a/services/zot/ingress.yaml
+++ b/services/zot/ingress.yaml
@@ -11,6 +11,7 @@ metadata:
     # traefik.ingress.kubernetes.io/router.tls.options: zot-h1only@kubernetescrd
     # traefik.ingress.kubernetes.io/router.middlewares: zot-zot-headers@kubernetescrd,zot-zot-buffering@kubernetescrd
     traefik.ingress.kubernetes.io/router.middlewares: zot-add-www-auth@kubernetescrd
+    traefik.ingress.kubernetes.io/router.middlewares: zot-zot-resp-headers@kubernetescrd
 spec:
   ingressClassName: traefik
   tls:
diff --git a/services/zot/middleware.yaml b/services/zot/middleware.yaml
index 2901fd8..8a47c0a 100644
--- a/services/zot/middleware.yaml
+++ b/services/zot/middleware.yaml
@@ -34,3 +34,33 @@ spec:
   headers:
     customResponseHeaders:
       WWW-Authenticate: Basic realm="zot-registry"
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: zot-resp-headers
+  namespace: zot
+spec:
+  headers:
+    customResponseHeaders:
+      Docker-Distribution-Api-Version: "registry/2.0"
+      WWW-Authenticate: 'Basic realm="zot-registry"'
+    accessControlAllowOriginList:
+      - "*"
+    accessControlAllowCredentials: true
+    accessControlAllowHeaders:
+      - Authorization
+      - Content-Type
+      - Docker-Distribution-Api-Version
+      - X-Registry-Auth
+    accessControlAllowMethods:
+      - GET
+      - HEAD
+      - OPTIONS
+      - POST
+      - PUT
+      - PATCH
+      - DELETE
+