diff --git a/zot/argocd.yaml b/zot/argocd.yaml new file mode 100644 index 0000000..9bb2129 --- /dev/null +++ b/zot/argocd.yaml @@ -0,0 +1,44 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: zot + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + sources: + - repoURL: https://bjw-s-labs.github.io/helm-charts + chart: app-template + targetRevision: 3.6.1 + helm: + valueFiles: + - $values/zot/helm-values.yaml + - repoURL: https://github.com/K3S-HOME/storage.git + targetRevision: main + ref: values + - repoURL: https://github.com/K3S-HOME/storage.git + targetRevision: main + path: zot + destination: + server: https://kubernetes.default.svc + namespace: zot + syncPolicy: + automated: + prune: true + selfHeal: true + allowEmpty: false + syncOptions: + - CreateNamespace=true + - PrunePropagationPolicy=foreground + - PruneLast=true + retry: + limit: 5 + backoff: + duration: 5s + factor: 2 + maxDuration: 3m + managedNamespaceMetadata: + labels: + goldilocks.fairwinds.com/enabled: 'true' + revisionHistoryLimit: 10 diff --git a/zot/helm-values.yaml b/zot/helm-values.yaml new file mode 100644 index 0000000..4f36869 --- /dev/null +++ b/zot/helm-values.yaml @@ -0,0 +1,128 @@ +# Zot Registry using bjw-s/app-template +# ARM64 container registry for on-premise CI/CD + +controllers: + zot: + type: statefulset + strategy: RollingUpdate + containers: + zot: + image: + repository: ghcr.io/project-zot/zot-linux-arm64 + tag: v2.1.13 + pullPolicy: IfNotPresent + probes: + liveness: + enabled: true + custom: true + spec: + tcpSocket: + port: 5000 + initialDelaySeconds: 5 + periodSeconds: 10 + readiness: + enabled: true + custom: true + spec: + tcpSocket: + port: 5000 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + requests: + cpu: 10m + memory: 128Mi + limits: + memory: 512Mi + pod: + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoExecute" + +service: + zot: + controller: zot + ports: + http: + port: 5000 + +ingress: + zot: + className: traefik + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + hosts: + - host: zot0213.kro.kr + paths: + - path: / + pathType: Prefix + service: + identifier: zot + port: http + tls: + - secretName: zot-tls + hosts: + - zot0213.kro.kr + +persistence: + data: + type: persistentVolumeClaim + accessMode: ReadWriteOnce + size: 50Gi + storageClass: local-path + globalMounts: + - path: /var/lib/registry + config: + type: configMap + name: zot-config + globalMounts: + - path: /etc/zot/config.json + subPath: config.json + readOnly: true + htpasswd: + type: secret + name: zot-htpasswd + globalMounts: + - path: /etc/zot/htpasswd + subPath: htpasswd + readOnly: true + +configMaps: + config: + data: + config.json: | + { + "storage": { + "rootDirectory": "/var/lib/registry", + "gc": true, + "gcDelay": "1h", + "gcInterval": "24h" + }, + "http": { + "address": "0.0.0.0", + "port": "5000", + "auth": { + "htpasswd": { + "path": "/etc/zot/htpasswd" + } + } + }, + "log": { + "level": "info" + }, + "extensions": { + "metrics": { + "enable": true, + "prometheus": { + "path": "/metrics" + } + }, + "search": { + "enable": true + }, + "ui": { + "enable": true + } + } + } diff --git a/zot/kustomization.yaml b/zot/kustomization.yaml new file mode 100644 index 0000000..f27909e --- /dev/null +++ b/zot/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- manifests/secret.yaml diff --git a/zot/manifests/secret.yaml b/zot/manifests/secret.yaml new file mode 100644 index 0000000..a08e606 --- /dev/null +++ b/zot/manifests/secret.yaml @@ -0,0 +1,18 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: zot-htpasswd-secret + namespace: zot +spec: + refreshInterval: 1h + secretStoreRef: + kind: ClusterSecretStore + name: vault-backend + target: + name: zot-htpasswd + creationPolicy: Owner + data: + - secretKey: htpasswd + remoteRef: + key: zot + property: HTPASSWD