Harden zot registry, pt 1 (#231)
## Summary - Enable OIDC + API key authentication on zot with anonymous pull preserved - Enforce tag immutability for version tags - Adopt commit-SHA-based container image tagging Details in the [[harden-zot-registry]] Mikado chain (`mise run docs-mikado harden-zot-registry`). ## Test plan - [ ] Anonymous pull still works - [ ] Unauthenticated push fails (401) - [ ] CI container builds pass with new auth and tagging - [ ] `mise run services-check` passes 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/231
This commit is contained in:
parent
6d7071e5ec
commit
0e2c10176d
28 changed files with 743 additions and 30 deletions
|
|
@ -73,6 +73,10 @@ Mikado chain for hardening the zot registry. Track progress with `mise run docs-
|
|||
- [[wire-ci-registry-auth]]
|
||||
- [[enforce-tag-immutability]]
|
||||
- [[adopt-commit-based-container-tags]]
|
||||
- [[add-container-version-sync-check]]
|
||||
- [[pin-container-versions]]
|
||||
- [[add-dagger-nix-build]]
|
||||
- [[fix-ntfy-nix-version]]
|
||||
|
||||
## Authentik
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue