blumeops/docs/how-to/zot/harden-zot-registry.md

---
title: Harden Zot Registry
modified: 2026-02-20
status: active
requires:
  - register-zot-oidc-client
  - wire-ci-registry-auth
  - enforce-tag-immutability
  - adopt-commit-based-container-tags
tags:
  - how-to
  - zot
  - registry
  - security
---

# Harden Zot Registry

Enable OIDC + API key authentication on zot with anonymous pull preserved, and enforce tag immutability for version tags. This is the C2 Mikado root goal.

## Context

Zot currently has **no authentication** — security relies entirely on the Tailscale ACL boundary. Any tailnet client can push images, and tags are mutable.

Both prerequisites from the original plan are now complete:
- [[adopt-oidc-provider]] — Authentik is deployed and serving OIDC
- [[adopt-dagger-ci]] — Dagger handles container builds

## Core Change

Update `ansible/roles/zot/templates/config.json.j2` to add:

1. **`http.auth.openid`** — OIDC provider pointing to Authentik
2. **`http.auth.apikey: true`** — enable API key generation for CI
3. **`accessControl`** — anonymous read, authenticated write
4. **`externalUrl`** — `https://registry.ops.eblu.me` for OIDC callback redirects

## Key Files

| File | Purpose |
|------|---------|
| `ansible/roles/zot/templates/config.json.j2` | Zot config — add auth + access control |
| `ansible/roles/zot/defaults/main.yml` | New OIDC variables |
| `ansible/roles/zot/tasks/main.yml` | Deploy OIDC credentials file |

## Verification

- [ ] Anonymous pull works (`curl -sf https://registry.ops.eblu.me/v2/_catalog`)
- [ ] Unauthenticated push fails (401)
- [ ] OIDC browser login works (redirect to Authentik and back)
- [ ] API key push works (`docker login` with `zak_...` token)
- [ ] Pull-through caching still works
- [ ] `mise run services-check` passes

## Related

- [[register-zot-oidc-client]] — Prereq: register OIDC client in Authentik
- [[wire-ci-registry-auth]] — Prereq: update CI push paths with credentials
- [[enforce-tag-immutability]] — Prereq: prevent version tag overwrites
- [[adopt-commit-based-container-tags]] — Prereq: commit-SHA-based image tags
- [[agent-change-process]] — C2 methodology
Create C2 Mikado cards for harden-zot-registry (#229) ## Summary - Replace the old pre-Mikado plan doc (`docs/how-to/plans/harden-zot-registry.md`) with a proper C2 Mikado chain in `docs/how-to/zot/` - Root goal: `harden-zot-registry` — enable OIDC + API key auth on zot with anonymous pull preserved - Three leaf prereqs: `register-zot-oidc-client`, `wire-ci-registry-auth`, `enforce-tag-immutability` - Add Zot section to `how-to.md` index, remove plan entry from plans index - All doc checks pass (`docs-check-links`, `docs-check-index`, `docs-mikado`) ## Changes - New: `docs/how-to/zot/harden-zot-registry.md` — C2 Mikado root goal - New: `docs/how-to/zot/register-zot-oidc-client.md` — Register OIDC client in Authentik - New: `docs/how-to/zot/wire-ci-registry-auth.md` — Wire CI push paths with registry auth - New: `docs/how-to/zot/enforce-tag-immutability.md` — Prevent version tag overwrites - Deleted: `docs/how-to/plans/harden-zot-registry.md` — Old plan doc (content absorbed into Mikado cards) - Updated: `docs/how-to/how-to.md` — Add Zot section, remove plan entry - Updated: `docs/how-to/plans/plans.md` — Remove plan entry 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/229 2026-02-20 17:56:25 -08:00			`---`
			`title: Harden Zot Registry`
			`modified: 2026-02-20`
			`status: active`
			`requires:`
			`- register-zot-oidc-client`
			`- wire-ci-registry-auth`
			`- enforce-tag-immutability`
Add commit-based container tagging prereq to harden-zot-registry chain (#230) ## Summary - New Mikado card: `adopt-commit-based-container-tags` — replaces git-tag-triggered container builds with path-based main-branch triggers and manual workflow dispatch - Image tags become `vX.Y.Z-<sha>` (with `-main` suffix for main branch builds, `-nix` for Nix builds), tying versions to the actual bundled app version and exact source commit - `container-tag-and-release` mise task to be renamed to `container-build-and-release`, triggering workflow dispatch with the current HEAD SHA - Added as soft prereq to `harden-zot-registry` Mikado chain ## Test plan - [x] Pre-commit hooks pass (docs-check-index, docs-check-links, etc.) - [ ] Review card content for completeness 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/230 2026-02-20 18:26:27 -08:00			`- adopt-commit-based-container-tags`
Create C2 Mikado cards for harden-zot-registry (#229) ## Summary - Replace the old pre-Mikado plan doc (`docs/how-to/plans/harden-zot-registry.md`) with a proper C2 Mikado chain in `docs/how-to/zot/` - Root goal: `harden-zot-registry` — enable OIDC + API key auth on zot with anonymous pull preserved - Three leaf prereqs: `register-zot-oidc-client`, `wire-ci-registry-auth`, `enforce-tag-immutability` - Add Zot section to `how-to.md` index, remove plan entry from plans index - All doc checks pass (`docs-check-links`, `docs-check-index`, `docs-mikado`) ## Changes - New: `docs/how-to/zot/harden-zot-registry.md` — C2 Mikado root goal - New: `docs/how-to/zot/register-zot-oidc-client.md` — Register OIDC client in Authentik - New: `docs/how-to/zot/wire-ci-registry-auth.md` — Wire CI push paths with registry auth - New: `docs/how-to/zot/enforce-tag-immutability.md` — Prevent version tag overwrites - Deleted: `docs/how-to/plans/harden-zot-registry.md` — Old plan doc (content absorbed into Mikado cards) - Updated: `docs/how-to/how-to.md` — Add Zot section, remove plan entry - Updated: `docs/how-to/plans/plans.md` — Remove plan entry 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/229 2026-02-20 17:56:25 -08:00			`tags:`
			`- how-to`
			`- zot`
			`- registry`
			`- security`
			`---`

			`# Harden Zot Registry`

			`Enable OIDC + API key authentication on zot with anonymous pull preserved, and enforce tag immutability for version tags. This is the C2 Mikado root goal.`

			`## Context`

			`Zot currently has no authentication — security relies entirely on the Tailscale ACL boundary. Any tailnet client can push images, and tags are mutable.`

			`Both prerequisites from the original plan are now complete:`
			`- [[adopt-oidc-provider]] — Authentik is deployed and serving OIDC`
			`- [[adopt-dagger-ci]] — Dagger handles container builds`

			`## Core Change`

			Update `ansible/roles/zot/templates/config.json.j2` to add:

			1. `http.auth.openid` — OIDC provider pointing to Authentik
			2. `http.auth.apikey: true` — enable API key generation for CI
			3. `accessControl` — anonymous read, authenticated write
			4. `externalUrl` — `https://registry.ops.eblu.me` for OIDC callback redirects

			`## Key Files`

			`\| File \| Purpose \|`
			`\|------\|---------\|`
			\| `ansible/roles/zot/templates/config.json.j2` \| Zot config — add auth + access control \|
			\| `ansible/roles/zot/defaults/main.yml` \| New OIDC variables \|
			\| `ansible/roles/zot/tasks/main.yml` \| Deploy OIDC credentials file \|

			`## Verification`

			- [ ] Anonymous pull works (`curl -sf https://registry.ops.eblu.me/v2/_catalog`)
			`- [ ] Unauthenticated push fails (401)`
			`- [ ] OIDC browser login works (redirect to Authentik and back)`
			- [ ] API key push works (`docker login` with `zak_...` token)
			`- [ ] Pull-through caching still works`
			- [ ] `mise run services-check` passes

			`## Related`

			`- [[register-zot-oidc-client]] — Prereq: register OIDC client in Authentik`
			`- [[wire-ci-registry-auth]] — Prereq: update CI push paths with credentials`
			`- [[enforce-tag-immutability]] — Prereq: prevent version tag overwrites`
Add commit-based container tagging prereq to harden-zot-registry chain (#230) ## Summary - New Mikado card: `adopt-commit-based-container-tags` — replaces git-tag-triggered container builds with path-based main-branch triggers and manual workflow dispatch - Image tags become `vX.Y.Z-<sha>` (with `-main` suffix for main branch builds, `-nix` for Nix builds), tying versions to the actual bundled app version and exact source commit - `container-tag-and-release` mise task to be renamed to `container-build-and-release`, triggering workflow dispatch with the current HEAD SHA - Added as soft prereq to `harden-zot-registry` Mikado chain ## Test plan - [x] Pre-commit hooks pass (docs-check-index, docs-check-links, etc.) - [ ] Review card content for completeness 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/230 2026-02-20 18:26:27 -08:00			`- [[adopt-commit-based-container-tags]] — Prereq: commit-SHA-based image tags`
Create C2 Mikado cards for harden-zot-registry (#229) ## Summary - Replace the old pre-Mikado plan doc (`docs/how-to/plans/harden-zot-registry.md`) with a proper C2 Mikado chain in `docs/how-to/zot/` - Root goal: `harden-zot-registry` — enable OIDC + API key auth on zot with anonymous pull preserved - Three leaf prereqs: `register-zot-oidc-client`, `wire-ci-registry-auth`, `enforce-tag-immutability` - Add Zot section to `how-to.md` index, remove plan entry from plans index - All doc checks pass (`docs-check-links`, `docs-check-index`, `docs-mikado`) ## Changes - New: `docs/how-to/zot/harden-zot-registry.md` — C2 Mikado root goal - New: `docs/how-to/zot/register-zot-oidc-client.md` — Register OIDC client in Authentik - New: `docs/how-to/zot/wire-ci-registry-auth.md` — Wire CI push paths with registry auth - New: `docs/how-to/zot/enforce-tag-immutability.md` — Prevent version tag overwrites - Deleted: `docs/how-to/plans/harden-zot-registry.md` — Old plan doc (content absorbed into Mikado cards) - Updated: `docs/how-to/how-to.md` — Add Zot section, remove plan entry - Updated: `docs/how-to/plans/plans.md` — Remove plan entry 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/229 2026-02-20 17:56:25 -08:00			`- [[agent-change-process]] — C2 methodology`