apiVersion: v1
kind: Namespace
metadata:
  name: kind-registry
---
apiVersion: v1
data:
  config.json: |
    {
      "distSpecVersion": "1.1.1",
      "storage": {
        "rootDirectory": "/var/lib/registry"
      },
      "http": {
        "address": "0.0.0.0",
        "port": 5000,
        "compat": ["docker2s2"],
        "tls": {
          "cert": "/certs/tls.crt",
          "key": "/certs/tls.key"
        },
        "auth": {
          "htpasswd": {
            "path": "/etc/zot/auth/htpasswd"
          }
        }
      },
      "log": {
        "level": "info"
      }
    }
kind: ConfigMap
metadata:
  name: zot-config
  namespace: kind-registry
---
apiVersion: v1
kind: Service
metadata:
  name: registry-service
  namespace: kind-registry
spec:
  ports:
  - nodePort: 30001
    port: 443
    protocol: TCP
    targetPort: 5000
  selector:
    run: registry
  type: NodePort
---
apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    ignore-check.kube-linter.io/no-read-only-root-fs: This component requires write
      permissions
    ignore-check.kube-linter.io/run-as-non-root: This component requires root permissions
  labels:
    run: registry
  name: registry
  namespace: kind-registry
spec:
  replicas: 1
  selector:
    matchLabels:
      run: registry
  template:
    metadata:
      labels:
        run: registry
    spec:
      containers:
      - args:
        - /etc/zot/config.json
        image: quay.io/konflux-ci/zot@sha256:e99c877789aecdb18fa8a8a3e6570a8117730fe2fc915d76b39b52afc286d93a
        livenessProbe:
          initialDelaySeconds: 15
          periodSeconds: 20
          tcpSocket:
            port: 5000
        name: registry
        ports:
        - containerPort: 5000
        readinessProbe:
          initialDelaySeconds: 5
          periodSeconds: 10
          tcpSocket:
            port: 5000
        resources:
          limits:
            cpu: 100m
            memory: 250Mi
          requests:
            cpu: 10m
            memory: 50Mi
        volumeMounts:
        - mountPath: /certs
          name: certs
          readOnly: true
        - mountPath: /etc/zot
          name: zot-config
          readOnly: true
        - mountPath: /etc/zot/auth
          name: zot-auth
          readOnly: true
        - mountPath: /var/lib/registry
          name: storage
      volumes:
      - name: certs
        secret:
          secretName: local-registry-tls
      - configMap:
          name: zot-config
        name: zot-config
      - name: zot-auth
        secret:
          secretName: zot-htpasswd
      - emptyDir: {}
        name: storage
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: registry-cert
  namespace: kind-registry
spec:
  dnsNames:
  - localhost
  - registry-service.kind-registry
  isCA: true
  issuerRef:
    kind: ClusterIssuer
    name: ca-issuer
  secretName: local-registry-tls
  subject:
    organizations:
    - konflux
---
apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
  name: trusted-ca
spec:
  sources:
  - useDefaultCAs: true
  - secret:
      key: ca.crt
      name: root-secret
  target:
    configMap:
      key: ca-bundle.crt
    namespaceSelector: {}