[feature] Zot (#1296)

Author: maxim-mityutko

README.md

@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: zot
+  namespace: argocd
+spec:
+  destination:
+    name: ''
+    namespace: default
+    server: 'https://kubernetes.default.svc'
+  source:
+    path: kubernetes/cluster/default/zot
+    repoURL: 'https://github.com/maxim-mityutko/home-infra.git'
+    targetRevision: main
+  project: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

kubernetes/argocd/03_default/zot.yaml

@@ -24,7 +24,7 @@ spec:
       restartPolicy: Always
       containers:
         - name: blocky
-          image: ghcr.io/0xerr0r/blocky:v0.27.0
+          image: registry.brhd.io/ghcr.io/0xerr0r/blocky:v0.27.0
           args: 
             - --config 
             - ./config/

kubernetes/cluster/default/blocky/blocky.yaml

@@ -0,0 +1,12 @@
+apiVersion: externaldns.k8s.io/v1alpha1
+kind: DNSEndpoint
+metadata:
+  name: registry.brhd.io
+  namespace: default
+spec:
+  endpoints:
+    - dnsName: registry.brhd.io
+      recordTTL: 86400
+      recordType: CNAME
+      targets:
+        - casa.brhd.io

kubernetes/cluster/default/zot/dns-endpoint.yaml

@@ -0,0 +1,131 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - dns-endpoint.yaml
+  - secret.yaml
+helmCharts:
+  - name: zot
+    namespace: default
+    releaseName: zot
+    version: 0.1.87
+    repo: http://zotregistry.dev/helm-charts
+    valuesInline:
+      image:
+        # Override repo path to get access to different image architectures
+        repository: ghcr.io/project-zot/zot
+      serviceAccount:
+        create: true
+      serviceHeadless:
+        enabled: false
+      ingress:
+        enabled: true
+        annotations:
+          kubernetes.io/ingress.class: public
+          cert-manager.io/cluster-issuer: lets-encrypt
+          nginx.ingress.kubernetes.io/proxy-body-size: '0'
+        className: public
+        hosts:
+          - host: registry.brhd.io
+            paths:
+              - path: /
+        tls: []
+      startupProbe:
+        initialDelaySeconds: 5
+        periodSeconds: 10
+        failureThreshold: 3
+      mountConfig: true
+      configFiles:
+        # Refs:
+        #   Authorization: https://zotregistry.dev/latest/articles/authn-authz/
+        #   OIDC: https://zotregistry.dev/latest/articles/authn-authz/#using-openidoauth2-when-zot-is-behind-a-proxy-or-load-balancer
+        config.json: |-
+          {
+            "storage": { "rootDirectory": "/var/lib/registry" },
+            "http": { 
+              "address": "0.0.0.0", 
+              "port": "5000",
+              "externalUrl": "https://registry.brhd.io",
+              "auth": {
+                "openid": {
+                  "providers": {
+                    "oidc": {
+                      "issuer": "https://auth.brhd.io/application/o/zot/",
+                      "credentialsFile": "secrets/oidc.json",
+                      "scopes": ["openid", "profile", "email"]
+                    }
+                  }
+                }
+              },
+              "accessControl": {
+                "repositories": {
+                  "**": {
+                    "defaultPolicy": ["read", "create", "update", "delete"],
+                    "anonymousPolicy": ["read"]
+                  }
+                }
+              }
+            },
+            "log": { "level": "warn" },
+            "extensions": {
+              "search": {"enable": true},
+              "ui": {"enable": true},
+              "sync": {
+                "enable": true,
+                "registries": [
+                  {
+                    "urls": ["https://index.docker.io"],
+                    "content": [{"prefix": "**", "destination": "/docker.io"}],
+                    "onDemand": true,
+                    "tlsVerify": true
+                  },
+                  {
+                    "urls": ["https://ghcr.io"],
+                    "content": [{"prefix": "**", "destination": "/ghcr.io"}],
+                    "onDemand": true,
+                    "tlsVerify": true
+                  },
+                  {
+                    "urls": ["https://quay.io"],
+                    "content": [{"prefix": "**", "destination": "/quay.io"}],
+                    "onDemand": true,
+                    "tlsVerify": true
+                  },
+                  {
+                    "urls": ["https://gcr.io"],
+                    "content": [{"prefix": "**", "destination": "/gcr.io"}],
+                    "onDemand": true,
+                    "tlsVerify": true
+                  },
+                  {
+                    "urls": ["https://registry.k8s.io"],
+                    "content": [{"prefix": "**", "destination": "/k8s.io"}],
+                    "onDemand": true,
+                    "tlsVerify": true
+                  }
+                ]
+              },
+              "scrub": {
+                "interval": "24h"
+              }
+            }
+          }
+      externalSecrets:
+        - secretName: zot-oidc
+          mountPath: /secrets
+      persistence: true
+      pvc:
+        create: true
+        accessModes: ["ReadWriteOnce"]
+        storage: 5Gi
+        storageClassName: openebs-hostpath
+      env: []
+      strategy:
+        type: RollingUpdate
+      metrics:
+        enabled: false
+        serviceMonitor:
+          enabled: false
+patches:
+  - path: patch.yaml

kubernetes/cluster/default/zot/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: zot
+  namespace: default
+spec:
+  revisionHistoryLimit: 2

kubernetes/cluster/default/zot/patch.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: zot-oidc
+  namespace: default
+spec:
+  encryptedData:
+    oidc.json: AgBq4kSa3xrY0q4mpmuKQ1o6bhRW6At/foPiTFp7kxk5AcRhZG5RpZR/17Mxo49VFWqBrYqNhnsttTSZFqYpuEYQoIJQ3HL9k6QADvYkVSJcjLKz6kgyy31/d2FVkd/P2bwUZQE/Ia8XgTfb52vrHmqs9SJUy8F+RD/7AxJPPv0Lm5BluXaBkMU3ZZaKYMYfXuMILupxc/bl4nxAxZ8XqdQol3LxKVhkBm8IPjq0/yKoLAPcTroRqEvZqKJn6ITSxu35PTVJVya/fWXmkhZXaRsFRRFM/sYvXcXx2gF0CrPRpE55NoTi8QuHW/Yo29Z/8cga3pji6MjPg8vB3cjIXmLayhx8aPEJg81wpckA0eFRSqMx2tSJ5GcTTHtGlVPVE3dYJLLNXGM0k2DZEJ+7UTm1ht8rwo65s3K4iB+/lKls5dKwjgg2z1l4M2X4FLPlOF/DdSVXc4sc67G7gLtgP6auLcQ+fmy4BJwPYDYFoQm5AJdEFL6Tbto3Q/pSlFWhRIQ0AizKhrvA2fwyHF0QXAmAQfhfmN/H7M54xkJDcaLLzZQrum4vOSAY90OhHyPSN6Naa6n+VdXWTc2kbNWPTs5scgNK1AJeuc0G9p6oyTJsfB0frUQGz/Kh7QePVOWqPRVg+Kanx9bMoGFzGD42zqXQTB1BWNtPQsyHJ04YPc00b8D5ONqv+WiLiOckzdagEPDdWhxbPjbQo72aaXBR+qpAuKSJXoNXV0HW8gsIHqa4T+7I0uoWxQwtXrRJfmb1mDjU77AlMHIfdo2UWykq8Dh0MXWPoYYUO8zaboi3wOwXLD5PwYWV4/GVDE9d9FfdQYZc+4V+Z3S+0zVzKX+2Gl/Ob7ziA3vzeqh7f2REDbzQemJFP/iYuz+xRl5OV6fLRCwlGrTcklt0JCHbYcwf5YI8c83vc81hUWrSE69WVtgk26M8AWQvAgCLbtaAGfLZpaiQgiPZMu4Dnlvm9p10DWmhKJs=
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app.kubernetes.io/name: zot
+      name: zot-oidc
+      namespace: default
+    type: Opaque

kubernetes/cluster/default/zot/secret.yaml

@@ -3,12 +3,19 @@
   "enabled": true,
   "dependencyDashboard": true,
   "dependencyDashboardTitle": "Renovate Dashboard",
+  "registryAliases": {
+    "registry.brhd.io/docker.io": "https://index.docker.io",
+    "registry.brhd.io/ghcr.io": "https://ghcr.io",
+    "registry.brhd.io/quay.io": "https://quay.io",
+    "registry.brhd.io/gcr.io": "https://gcr.io",
+    "registry.brhd.io/k8s.io": "https://registry.k8s.io"
+  },
   "kubernetes": {
     "managerFilePatterns": [
       "/kubernetes/cluster/.+\\.ya?ml$/"
     ]
   },
-  "prHourlyLimit": 15,
+  "prHourlyLimit": 25,
   "includePaths": [
     "kubernetes/cluster/**/**"
   ],