Mayne0213
06c35588e3
- Add blob: to script-src directive - Add unsafe-eval for UI functionality - Fix Content Security Policy for proper UI rendering
150 lines
3.6 KiB
YAML
150 lines
3.6 KiB
YAML
# Zot Registry using bjw-s/app-template
|
|
# ARM64 container registry with S3 (MinIO) storage backend
|
|
|
|
controllers:
|
|
zot:
|
|
type: deployment
|
|
replicas: 2
|
|
strategy: RollingUpdate
|
|
containers:
|
|
zot:
|
|
image:
|
|
repository: ghcr.io/project-zot/zot-linux-arm64
|
|
tag: v2.1.13
|
|
pullPolicy: IfNotPresent
|
|
envFrom:
|
|
- secretRef:
|
|
name: minio-s3-credentials
|
|
probes:
|
|
liveness:
|
|
enabled: true
|
|
custom: true
|
|
spec:
|
|
tcpSocket:
|
|
port: 5000
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
readiness:
|
|
enabled: true
|
|
custom: true
|
|
spec:
|
|
tcpSocket:
|
|
port: 5000
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 10
|
|
resources:
|
|
requests:
|
|
cpu: 15m
|
|
memory: 128Mi
|
|
limits:
|
|
memory: 128Mi
|
|
pod:
|
|
affinity:
|
|
podAntiAffinity:
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
- weight: 100
|
|
podAffinityTerm:
|
|
labelSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: zot
|
|
topologyKey: kubernetes.io/hostname
|
|
|
|
service:
|
|
zot:
|
|
controller: zot
|
|
ports:
|
|
http:
|
|
port: 5000
|
|
|
|
rawResources:
|
|
csp-fix:
|
|
apiVersion: traefik.io/v1alpha1
|
|
kind: Middleware
|
|
spec:
|
|
headers:
|
|
contentSecurityPolicy: "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob:; style-src 'self' 'unsafe-inline'; font-src 'self'; connect-src 'self'; img-src 'self' data:; manifest-src 'self'; base-uri 'self'"
|
|
|
|
ingress:
|
|
zot:
|
|
className: traefik
|
|
annotations:
|
|
cert-manager.io/cluster-issuer: letsencrypt-prod
|
|
traefik.ingress.kubernetes.io/router.middlewares: zot-csp-fix@kubernetescrd
|
|
hosts:
|
|
- host: zot0213.kro.kr
|
|
paths:
|
|
- path: /
|
|
pathType: Prefix
|
|
service:
|
|
identifier: zot
|
|
port: http
|
|
tls:
|
|
- secretName: zot-tls
|
|
hosts:
|
|
- zot0213.kro.kr
|
|
|
|
persistence:
|
|
config:
|
|
type: configMap
|
|
name: zot-config
|
|
globalMounts:
|
|
- path: /etc/zot/config.json
|
|
subPath: config.json
|
|
readOnly: true
|
|
htpasswd:
|
|
type: secret
|
|
name: zot-htpasswd
|
|
globalMounts:
|
|
- path: /etc/zot/htpasswd
|
|
subPath: htpasswd
|
|
readOnly: true
|
|
|
|
configMaps:
|
|
config:
|
|
data:
|
|
config.json: |
|
|
{
|
|
"storage": {
|
|
"rootDirectory": "/tmp/zot",
|
|
"dedupe": false,
|
|
"gc": true,
|
|
"gcDelay": "1h",
|
|
"gcInterval": "24h",
|
|
"storageDriver": {
|
|
"name": "s3",
|
|
"regionendpoint": "http://minio.minio.svc.cluster.local:9000",
|
|
"region": "us-east-1",
|
|
"bucket": "zot",
|
|
"secure": false,
|
|
"skipverify": true
|
|
}
|
|
},
|
|
"http": {
|
|
"address": "0.0.0.0",
|
|
"port": "5000",
|
|
"externalUrl": "https://zot0213.kro.kr",
|
|
"auth": {
|
|
"htpasswd": {
|
|
"path": "/etc/zot/htpasswd"
|
|
}
|
|
}
|
|
},
|
|
"log": {
|
|
"level": "info"
|
|
},
|
|
"extensions": {
|
|
"metrics": {
|
|
"enable": true,
|
|
"prometheus": {
|
|
"path": "/metrics"
|
|
}
|
|
},
|
|
"search": {
|
|
"enable": true
|
|
},
|
|
"ui": {
|
|
"enable": true
|
|
}
|
|
}
|
|
}
|