eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/how-to/zot/harden-zot-registry.md

59 lines
2 KiB
Markdown
Raw Normal View History

Create C2 Mikado cards for harden-zot-registry (#229) ## Summary - Replace the old pre-Mikado plan doc (`docs/how-to/plans/harden-zot-registry.md`) with a proper C2 Mikado chain in `docs/how-to/zot/` - Root goal: `harden-zot-registry` — enable OIDC + API key auth on zot with anonymous pull preserved - Three leaf prereqs: `register-zot-oidc-client`, `wire-ci-registry-auth`, `enforce-tag-immutability` - Add Zot section to `how-to.md` index, remove plan entry from plans index - All doc checks pass (`docs-check-links`, `docs-check-index`, `docs-mikado`) ## Changes - **New:** `docs/how-to/zot/harden-zot-registry.md` — C2 Mikado root goal - **New:** `docs/how-to/zot/register-zot-oidc-client.md` — Register OIDC client in Authentik - **New:** `docs/how-to/zot/wire-ci-registry-auth.md` — Wire CI push paths with registry auth - **New:** `docs/how-to/zot/enforce-tag-immutability.md` — Prevent version tag overwrites - **Deleted:** `docs/how-to/plans/harden-zot-registry.md` — Old plan doc (content absorbed into Mikado cards) - **Updated:** `docs/how-to/how-to.md` — Add Zot section, remove plan entry - **Updated:** `docs/how-to/plans/plans.md` — Remove plan entry 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/229
2026-02-20 17:56:25 -08:00
---
title: Harden Zot Registry
modified: 2026-02-20
status: active
requires:
- register-zot-oidc-client
- wire-ci-registry-auth
- enforce-tag-immutability
tags:
- how-to
- zot
- registry
- security
---
# Harden Zot Registry
Enable OIDC + API key authentication on zot with anonymous pull preserved, and enforce tag immutability for version tags. This is the C2 Mikado root goal.
## Context
Zot currently has **no authentication** — security relies entirely on the Tailscale ACL boundary. Any tailnet client can push images, and tags are mutable.
Both prerequisites from the original plan are now complete:
- [[adopt-oidc-provider]] — Authentik is deployed and serving OIDC
- [[adopt-dagger-ci]] — Dagger handles container builds
## Core Change
Update `ansible/roles/zot/templates/config.json.j2` to add:
1. **`http.auth.openid`** — OIDC provider pointing to Authentik
2. **`http.auth.apikey: true`** — enable API key generation for CI
3. **`accessControl`** — anonymous read, authenticated write
4. **`externalUrl`** — `https://registry.ops.eblu.me` for OIDC callback redirects
## Key Files
| File | Purpose |
|------|---------|
| `ansible/roles/zot/templates/config.json.j2` | Zot config — add auth + access control |
| `ansible/roles/zot/defaults/main.yml` | New OIDC variables |
| `ansible/roles/zot/tasks/main.yml` | Deploy OIDC credentials file |
## Verification
- [ ] Anonymous pull works (`curl -sf https://registry.ops.eblu.me/v2/_catalog`)
- [ ] Unauthenticated push fails (401)
- [ ] OIDC browser login works (redirect to Authentik and back)
- [ ] API key push works (`docker login` with `zak_...` token)
- [ ] Pull-through caching still works
- [ ] `mise run services-check` passes
## Related
- [[register-zot-oidc-client]] — Prereq: register OIDC client in Authentik
- [[wire-ci-registry-auth]] — Prereq: update CI push paths with credentials
- [[enforce-tag-immutability]] — Prereq: prevent version tag overwrites
- [[agent-change-process]] — C2 methodology
Reference in a new issue Copy permalink