From 93312400b28d657d4a80bb94cad7ecd6449b60b4 Mon Sep 17 00:00:00 2001
From: Simon Cornet <simon@simoncor.net>
Date: Fri, 8 May 2026 13:42:41 +0200
Subject: [PATCH] feat: use new datastructure for dockerhub auth and make cve
 scanning optional

---
 defaults/main.yaml                     | 12 +++++++++---
 tasks/config.yaml                      |  2 +-
 templates/zot/config.json.j2           |  5 +++--
 templates/zot/sync-credentials.json.j2 | 11 +++++++----
 4 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/defaults/main.yaml b/defaults/main.yaml
index 21f544e..7b8ab2c 100644
--- a/defaults/main.yaml
+++ b/defaults/main.yaml
@@ -4,6 +4,12 @@
 # renovate: datasource=github-releases depName=project-zot/zot versioning=pep440
 zot_version: "2.1.16"
 
-# dockerhub credentials (optional, avoids rate limits)
-# zot_dockerhub_username: ""
-# zot_dockerhub_password: ""
+# enable cve scanning of images
+zot_cve_scanning: false
+
+# sync registry credentials (optional, avoids rate limits)
+# zot_sync_credentials:
+#   - name: "dockerhub"
+#     registry: "registry-1.docker.io"
+#     username: "X"
+#     password: "Y"
diff --git a/tasks/config.yaml b/tasks/config.yaml
index 40f6eb6..5d3432b 100644
--- a/tasks/config.yaml
+++ b/tasks/config.yaml
@@ -13,7 +13,7 @@
         group: "root"
         mode: "0600"
       notify: "restart zot"
-      when: "zot_dockerhub_username is defined and zot_dockerhub_password is defined"
+      when: "zot_sync_credentials is defined and zot_sync_credentials | length > 0"
 
     # create config file
     - name: "create config file"
diff --git a/templates/zot/config.json.j2 b/templates/zot/config.json.j2
index 601ae8d..8f5e84c 100644
--- a/templates/zot/config.json.j2
+++ b/templates/zot/config.json.j2
@@ -34,14 +34,15 @@
       "enable": false
     },
     "search": {
-      "enable": true,
+      "enable": true{% if zot_cve_scanning %},
       "cve": {
         "updateInterval": "24h"
       }
+{% endif %}
     },
     "sync": {
       "enable": true,
-{% if zot_dockerhub_username is defined and zot_dockerhub_password is defined %}
+{% if zot_sync_credentials is defined and zot_sync_credentials | length > 0 %}
       "credentialsFile": "/etc/zot/sync-credentials.json",
 {% endif %}
       "registries": [
diff --git a/templates/zot/sync-credentials.json.j2 b/templates/zot/sync-credentials.json.j2
index 56564e8..8d3ae6b 100644
--- a/templates/zot/sync-credentials.json.j2
+++ b/templates/zot/sync-credentials.json.j2
@@ -1,6 +1,9 @@
 {
-  "registry-1.docker.io": {
-    "username": "{{ zot_dockerhub_username }}",
-    "password": "{{ zot_dockerhub_password }}"
-  }
+{% for cred in zot_sync_credentials %}
+  "{{ cred.registry }}": {
+    "username": "{{ cred.username }}",
+    "password": "{{ cred.password }}"
+  }{% if not loop.last %},{% endif %}
+
+{% endfor %}
 }