Harden zot registry, pt 1 (#231)
## Summary - Enable OIDC + API key authentication on zot with anonymous pull preserved - Enforce tag immutability for version tags - Adopt commit-SHA-based container image tagging Details in the [[harden-zot-registry]] Mikado chain (`mise run docs-mikado harden-zot-registry`). ## Test plan - [ ] Anonymous pull still works - [ ] Unauthenticated push fails (401) - [ ] CI container builds pass with new auth and tagging - [ ] `mise run services-check` passes 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/231
This commit is contained in:
parent
6d7071e5ec
commit
0e2c10176d
28 changed files with 743 additions and 30 deletions
|
|
@ -9,9 +9,13 @@
|
|||
# Usage: Configure runner with label like:
|
||||
# docker:docker://registry.ops.eblu.me/blumeops/forgejo-runner:latest
|
||||
|
||||
ARG CONTAINER_APP_VERSION=0.19.11
|
||||
|
||||
FROM debian:bookworm-slim
|
||||
|
||||
ARG TARGETARCH
|
||||
ARG CONTAINER_APP_VERSION
|
||||
ARG DAGGER_VERSION=${CONTAINER_APP_VERSION}
|
||||
|
||||
# Install base dependencies
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
|
|
@ -51,7 +55,6 @@ RUN ARCH="${TARGETARCH:-$(dpkg --print-architecture)}" \
|
|||
&& argocd version --client
|
||||
|
||||
# Install Dagger CLI (for running Dagger CI pipelines)
|
||||
ARG DAGGER_VERSION=0.19.11
|
||||
RUN ARCH="${TARGETARCH:-$(dpkg --print-architecture)}" \
|
||||
&& curl -fsSL -o /tmp/dagger.tar.gz \
|
||||
"https://dl.dagger.io/dagger/releases/${DAGGER_VERSION}/dagger_v${DAGGER_VERSION}_linux_${ARCH}.tar.gz" \
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue