From 04a730b9b47eacecfbf6a967271bce6383921535 Mon Sep 17 00:00:00 2001 From: Devin Buhl Date: Thu, 16 Nov 2023 09:41:37 -0500 Subject: [PATCH] feat: add zot to tf nas Signed-off-by: Devin Buhl --- terraform/storage/apps/.terraform.lock.hcl | 19 ++ terraform/storage/apps/app_kopia.tf | 11 +- terraform/storage/apps/app_minio.tf | 9 - terraform/storage/apps/app_zot.tf | 168 ++++++++++++++++++ ...sitory.config.tftpl => kopia.config.tftpl} | 0 .../storage/apps/templates/zot.json.tftpl | 100 +++++++++++ 6 files changed, 288 insertions(+), 19 deletions(-) create mode 100644 terraform/storage/apps/app_zot.tf rename terraform/storage/apps/templates/{repository.config.tftpl => kopia.config.tftpl} (100%) create mode 100644 terraform/storage/apps/templates/zot.json.tftpl diff --git a/terraform/storage/apps/.terraform.lock.hcl b/terraform/storage/apps/.terraform.lock.hcl index c904df4eaddd7..88c905f3229e1 100644 --- a/terraform/storage/apps/.terraform.lock.hcl +++ b/terraform/storage/apps/.terraform.lock.hcl @@ -12,6 +12,13 @@ provider "registry.terraform.io/carlpett/sops" { "h1:eyhWU7mN5Q++hYu7j/w8aACehkiaFcdYp84pEF1n7XM=", "h1:tnN2Mgl0NUF3cg7a0HtGmtOhHcG+tkaT6ncOPRuA9l8=", "h1:xkTdN4nYt3PM5Sx09j/g+vnFWU2njQCO6CXza034R1I=", + "zh:064e63ea800cd1a8e575064097bc7de6fd5faa8ad50dbb3f2f9d8a3ebc9d7b97", + "zh:0663900085949d2faf24c170c7cdfbf76e545797915cc331da8304144c02bf27", + "zh:2ff26c7e5ee356c30791a12dd8e114c6237bd873d09e52805cb30dd5d758ed23", + "zh:44211fa474112ad0c9fcdae03f13ec7c75cdefd3ab29979b99cb834208055593", + "zh:6c3ab441c12b9679ad1dcac580d1ee7782f0d94efe6da6e983435ed39335cd3f", + "zh:8924cc939b52382ef042dc38bde93cdf438ff0aeab5e1801fbd198f05b80cd47", + "zh:ebc189ce22c23b903399f71e33d465001a79d7de7f7bf115c7763fcf794f4b58", ] } @@ -30,6 +37,18 @@ provider "registry.terraform.io/hashicorp/kubernetes" { "h1:sXCkOxRoMFTJnBMRmQlem2S5euv65k4veJQN5LaJayI=", "h1:uosKyesMfmeKIcxjMLaHVMW3uW3zVy50Bzvx2jpsNoE=", "h1:xyFc77aYkPoU4Xt1i5t0B1IaS8TbTtp9aCSuQKDayII=", + "zh:10488a12525ed674359585f83e3ee5e74818b5c98e033798351678b21b2f7d89", + "zh:1102ba5ca1a595f880e67102bbf999cc8b60203272a078a5b1e896d173f3f34b", + "zh:1347cf958ed3f3f80b3c7b3e23ddda3d6c6573a81847a8ee92b7df231c238bf6", + "zh:2cb18e9f5156bc1b1ee6bc580a709f7c2737d142722948f4a6c3c8efe757fa8d", + "zh:5506aa6f28dcca2a265ccf8e34478b5ec2cb43b867fe6d93b0158f01590fdadd", + "zh:6217a20686b631b1dcb448ee4bc795747ebc61b56fbe97a1ad51f375ebb0d996", + "zh:8accf916c00579c22806cb771e8909b349ffb7eb29d9c5468d0a3f3166c7a84a", + "zh:9379b0b54a0fa030b19c7b9356708ec8489e194c3b5e978df2d31368563308e5", + "zh:aa99c580890691036c2931841e88e7ee80d59ae52289c8c2c28ea0ac23e31520", + "zh:c57376d169875990ac68664d227fb69cd0037b92d0eba6921d757c3fd1879080", + "zh:e6068e3f94f6943b5586557b73f109debe19d1a75ca9273a681d22d1ce066579", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", ] } diff --git a/terraform/storage/apps/app_kopia.tf b/terraform/storage/apps/app_kopia.tf index cafcc4448b8f1..2a65dacda6be4 100644 --- a/terraform/storage/apps/app_kopia.tf +++ b/terraform/storage/apps/app_kopia.tf @@ -8,7 +8,7 @@ resource "kubernetes_secret_v1" "kopia" { } data = { "repository.config" = "${templatefile( - "${path.module}/templates/repository.config.tftpl", { + "${path.module}/templates/kopia.config.tftpl", { b2_app_key = data.sops_file.secrets.data["kopia_b2_app_key"], b2_app_key_id = data.sops_file.secrets.data["kopia_b2_app_key_id"] } @@ -134,15 +134,6 @@ resource "kubernetes_stateful_set_v1" "kopia" { mount_path = "/tycho" # tech-debt read_only = true } - resources { - requests = { - cpu = "1" - memory = "2Gi" - } - limits = { - memory = "12Gi" - } - } } volume { name = "kopia-logs" diff --git a/terraform/storage/apps/app_minio.tf b/terraform/storage/apps/app_minio.tf index 82a2510f5bde8..e508c2d17db1f 100644 --- a/terraform/storage/apps/app_minio.tf +++ b/terraform/storage/apps/app_minio.tf @@ -105,15 +105,6 @@ resource "kubernetes_stateful_set_v1" "minio" { name = "config" mount_path = "/data" } - resources { - requests = { - cpu = "1" - memory = "2Gi" - } - limits = { - memory = "4Gi" - } - } } security_context { run_as_user = 568 diff --git a/terraform/storage/apps/app_zot.tf b/terraform/storage/apps/app_zot.tf new file mode 100644 index 0000000000000..e81c7fe974dfd --- /dev/null +++ b/terraform/storage/apps/app_zot.tf @@ -0,0 +1,168 @@ +resource "kubernetes_config_map_v1" "zot" { + metadata { + name = "zot" + namespace = "default" + labels = { + "app.arpa.home/name" = "zot" + } + } + data = { + "config.json" = "${file("${path.module}/templates/zot.json.tftpl")}" + } +} + +resource "kubernetes_stateful_set_v1" "zot" { + metadata { + name = "zot" + namespace = "default" + labels = { + "app.arpa.home/name" = "zot" + } + } + spec { + selector { + match_labels = { + "app.arpa.home/name" = "zot" + } + } + service_name = "zot" + replicas = 1 + template { + metadata { + labels = { + "app.arpa.home/name" = "zot" + } + } + spec { + container { + name = "main" + image = "ghcr.io/project-zot/zot-linux-amd64:v1.4.3" + image_pull_policy = "IfNotPresent" + port { + name = "http" + container_port = 5000 + host_port = 5000 + } + liveness_probe { + http_get { + path = "/v2/" + port = 5000 + } + initial_delay_seconds = 30 + period_seconds = 30 + failure_threshold = 6 + timeout_seconds = 10 + } + readiness_probe { + http_get { + path = "/v2/" + port = 5000 + } + initial_delay_seconds = 30 + period_seconds = 30 + failure_threshold = 6 + timeout_seconds = 10 + } + volume_mount { + name = "config" + mount_path = "/var/lib/registry" + } + volume_mount { + name = "config-file" + mount_path = "/etc/zot/config.json" + read_only = true + sub_path = "config.json" + } + } + volume { + name = "config" + host_path { + path = "/eros/Apps/Zot" + type = "Directory" + } + } + volume { + name = "config-file" + projected { + default_mode = "0420" + sources { + config_map { + name = "zot" + } + } + } + } + security_context { + run_as_user = 568 + run_as_group = 568 + fs_group = 568 + fs_group_change_policy = "OnRootMismatch" + supplemental_groups = [ + 100 + ] + } + toleration { + effect = "NoSchedule" + operator = "Exists" + } + } + } + update_strategy { + type = "RollingUpdate" + } + } +} + +resource "kubernetes_service_v1" "zot" { + metadata { + name = "zot" + namespace = "default" + labels = { + "app.arpa.home/name" = "zot" + } + } + spec { + selector = { + "app.arpa.home/name" = "zot" + } + port { + name = "http" + port = 5000 + target_port = 5000 + protocol = "TCP" + } + } +} + +resource "kubernetes_ingress_v1" "zot" { + metadata { + name = "zot" + namespace = "default" + annotations = { + "traefik.ingress.kubernetes.io/router.entrypoints" = "web" + } + labels = { + "app.arpa.home/name" = "zot" + } + } + spec { + ingress_class_name = "traefik" + rule { + host = "zot.turbo.ac" + http { + path { + path = "/" + path_type = "Prefix" + backend { + service { + name = "zot" + port { + number = 5000 + } + } + } + } + } + } + } +} diff --git a/terraform/storage/apps/templates/repository.config.tftpl b/terraform/storage/apps/templates/kopia.config.tftpl similarity index 100% rename from terraform/storage/apps/templates/repository.config.tftpl rename to terraform/storage/apps/templates/kopia.config.tftpl diff --git a/terraform/storage/apps/templates/zot.json.tftpl b/terraform/storage/apps/templates/zot.json.tftpl new file mode 100644 index 0000000000000..1abd66edf971b --- /dev/null +++ b/terraform/storage/apps/templates/zot.json.tftpl @@ -0,0 +1,100 @@ +{ + "distSpecVersion": "1.0.1", + "storage": { + "rootDirectory": "/var/lib/registry", + "dedupe": true, + "gc": true, + "gcDelay": "1h", + "gcInterval": "24h" + }, + "http": { + "address": "0.0.0.0", + "port": "5000" + }, + "log": { + "level": "info" + }, + "extensions": { + "search": { + "enable": true, + "cve": { + "updateInterval": "2h" + } + }, + "scrub": { + "enable": true, + "interval": "24h" + }, + "sync": { + "enable": true, + "registries": [ + { + "urls": ["https://index.docker.io"], + "content": [ + { + "prefix": "**", + "destination": "/docker.io" + } + ], + "onDemand": true, + "tlsVerify": true + }, + { + "urls": ["https://gcr.io"], + "content": [ + { + "prefix": "**", + "destination": "/gcr.io" + } + ], + "onDemand": true, + "tlsVerify": true + }, + { + "urls": ["https://ghcr.io"], + "content": [ + { + "prefix": "**", + "destination": "/ghcr.io" + } + ], + "onDemand": true, + "tlsVerify": true + }, + { + "urls": ["https://quay.io"], + "content": [ + { + "prefix": "**", + "destination": "/quay.io" + } + ], + "onDemand": true, + "tlsVerify": true + }, + { + "urls": ["https://registry.k8s.io"], + "content": [ + { + "prefix": "**", + "destination": "/registry.k8s.io" + } + ], + "onDemand": true, + "tlsVerify": true + }, + { + "urls": ["https://public.ecr.aws"], + "content": [ + { + "prefix": "**", + "destination": "/public.ecr.aws" + } + ], + "onDemand": true, + "tlsVerify": true + } + ] + } + } +}