# services/zot/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: zot namespace: zot labels: { app: zot } spec: replicas: 1 selector: matchLabels: { app: zot } template: metadata: labels: { app: zot } spec: nodeSelector: node-role.kubernetes.io/worker: "true" affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: hardware operator: In values: ["rpi4","rpi5"] preferredDuringSchedulingIgnoredDuringExecution: - weight: 50 preference: matchExpressions: - key: hardware operator: In values: ["rpi4"] containers: - name: zot image: ghcr.io/project-zot/zot-linux-arm64:v2.1.8 imagePullPolicy: IfNotPresent args: ["serve", "/etc/zot/config.json"] ports: - { name: http, containerPort: 5000 } volumeMounts: - name: cfg-rendered mountPath: /etc/zot/config.json subPath: config.json readOnly: true - name: zot-data mountPath: /var/lib/registry readinessProbe: tcpSocket: port: 5000 initialDelaySeconds: 2 periodSeconds: 5 livenessProbe: tcpSocket: port: 5000 initialDelaySeconds: 5 periodSeconds: 10 resources: requests: { cpu: "50m", memory: "64Mi" } initContainers: - name: render-config image: busybox:1.36 command: - /bin/sh - -c - | set -eu if [ -z "${ZOT_CLIENT_SECRET:-}" ]; then echo "ZOT_CLIENT_SECRET is empty; ensure zot-oidc-client secret exists" >&2 exit 1 fi sed "s|__CLIENT_SECRET__|${ZOT_CLIENT_SECRET}|g" /config-src/config.json > /config/config.json env: - name: ZOT_CLIENT_SECRET valueFrom: secretKeyRef: name: zot-oidc-client key: client_secret volumeMounts: - name: cfg-src mountPath: /config-src - name: cfg-rendered mountPath: /config volumes: - name: cfg-src configMap: name: zot-config - name: cfg-rendered emptyDir: {} - name: zot-data persistentVolumeClaim: claimName: zot-data