Adding garage (S3 like) and zot (private docker registry)

2026-04-06 10:53:58 +00:00
parent d2e050f1f1
commit e05f1c0de6
22 changed files with 1446 additions and 1 deletions
@@ -0,0 +1,69 @@
+# zot — OCI Container Registry
+
+Namespace: `zot`
+Domain: `zot.immich-ad.ovh`
+
+https://zotregistry.dev/v2.1.15/install-guides/install-guide-k8s/
+
+## Helm repo
+
+```bash
+helm repo add zot https://zotregistry.dev/helm-charts
+helm repo update
+```
+
+## Storage — create directory and PV first
+
+```bash
+sudo mkdir -p /storage/zot/data
+kubectl apply -f pv-zot.yaml
+```
+
+## Install / Upgrade / Delete
+
+```bash
+# Install
+helm install zot zot/zot -n zot --create-namespace -f values.yaml
+
+# Upgrade
+helm upgrade zot zot/zot -n zot -f values.yaml
+
+# Delete
+helm uninstall zot -n zot
+```
+
+## Check PV / PVC
+
+```bash
+kubectl get pv pv-zot-data
+kubectl get pvc -n zot
+```
+
+## Pod / Service status
+
+```bash
+kubectl get pods -n zot
+kubectl get svc -n zot
+kubectl describe pod -n zot -l app.kubernetes.io/name=zot
+```
+
+## Logs
+
+```bash
+kubectl logs -n zot -l app.kubernetes.io/name=zot --prefix
+```
+
+## Certificate
+
+```bash
+kubectl get certificate -n zot
+kubectl describe certificate zot-tls -n zot
+kubectl get challenges -n zot
+```
+
+## Test registry access
+
+```bash
+# Ping the API (replace with actual node IP if testing from outside)
+curl https://zot.immich-ad.ovh/v2/
+```
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: pv-zot-data
+spec:
+  capacity:
+    storage: 20Gi
+  volumeMode: Filesystem
+  accessModes:
+  - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: local-storage
+  local:
+    path: /storage/zot/data
+  nodeAffinity:
+    required:
+      nodeSelectorTerms:
+      - matchExpressions:
+        - key: kubernetes.io/hostname
+          operator: In
+          values:
+          - master
+  claimRef:
+    name: data-zot-0    # matches StatefulSet volumeClaimTemplate: data-<release>-zot-0
+    namespace: zot
@@ -0,0 +1,72 @@
+replicaCount: 1
+
+image:
+  repository: ghcr.io/project-zot/zot
+  pullPolicy: IfNotPresent
+  # multi-arch image, no override needed for arm64
+
+service:
+  type: ClusterIP
+  port: 5000
+
+ingress:
+  enabled: true
+  className: traefik
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+  pathtype: Prefix
+  hosts:
+    - host: zot.immich-ad.ovh
+      paths:
+        - path: /
+  tls:
+    - secretName: zot-tls
+      hosts:
+        - zot.immich-ad.ovh
+
+# Mount the config.json into /etc/zot
+mountConfig: true
+configFiles:
+  config.json: |-
+    {
+      "storage": { "rootDirectory": "/var/lib/registry" },
+      "log": { "level": "info" },
+      "extensions": {"search": {"enable": true}, "ui": {"enable": true}},
+      "http": {
+        "address": "0.0.0.0",
+        "port": "5000",
+        "auth": {
+        "htpasswd": {
+            "path": "/secret/htpasswd"
+          }
+        },
+        "accessControl": {
+          "repositories": {
+            "**": {
+              "anonymousPolicy": [],
+              "defaultPolicy": []
+            }
+          },
+          "adminPolicy": {
+            "users": ["admin"],
+            "actions": ["read", "create", "update", "delete"]
+          }
+        }
+      }
+    }
+mountSecret: true
+secretFiles:
+  htpasswd: |
+    admin:$2y$10$1w7mXxSIKGV7dAyqy9TgAeZINEizxuA9ln.Pi6esu7olUV7Kw9ffO
+persistence: true
+pvc:
+  create: true
+  name: data          # PVC will be named: data-zot-zot-0
+  accessModes: ["ReadWriteOnce"]
+  storage: 20Gi
+  storageClassName: local-storage
+
+# local-storage does not support live migration — Recreate avoids attach conflicts
+strategy:
+  type: Recreate