Create C2 Mikado cards for harden-zot-registry (#229)

## Summary - Replace the old pre-Mikado plan doc (`docs/how-to/plans/harden-zot-registry.md`) with a proper C2 Mikado chain in `docs/how-to/zot/` - Root goal: `harden-zot-registry` — enable OIDC + API key auth on zot with anonymous pull preserved - Three leaf prereqs: `register-zot-oidc-client`, `wire-ci-registry-auth`, `enforce-tag-immutability` - Add Zot section to `how-to.md` index, remove plan entry from plans index - All doc checks pass (`docs-check-links`, `docs-check-index`, `docs-mikado`) ## Changes - **New:** `docs/how-to/zot/harden-zot-registry.md` — C2 Mikado root goal - **New:** `docs/how-to/zot/register-zot-oidc-client.md` — Register OIDC client in Authentik - **New:** `docs/how-to/zot/wire-ci-registry-auth.md` — Wire CI push paths with registry auth - **New:** `docs/how-to/zot/enforce-tag-immutability.md` — Prevent version tag overwrites - **Deleted:** `docs/how-to/plans/harden-zot-registry.md` — Old plan doc (content absorbed into Mikado cards) - **Updated:** `docs/how-to/how-to.md` — Add Zot section, remove plan entry - **Updated:** `docs/how-to/plans/plans.md` — Remove plan entry 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/229
2026-02-20 17:56:25 -08:00 · 2026-02-20 17:56:25 -08:00 · 379bcb98af
commit 379bcb98af
parent cd50c1454a
8 changed files with 220 additions and 213 deletions
--- a/docs/how-to/zot/harden-zot-registry.md
+++ b/docs/how-to/zot/harden-zot-registry.md
@ -0,0 +1,59 @@
+---
+title: Harden Zot Registry
+modified: 2026-02-20
+status: active
+requires:
+  - register-zot-oidc-client
+  - wire-ci-registry-auth
+  - enforce-tag-immutability
+tags:
+  - how-to
+  - zot
+  - registry
+  - security
+---
+
+# Harden Zot Registry
+
+Enable OIDC + API key authentication on zot with anonymous pull preserved, and enforce tag immutability for version tags. This is the C2 Mikado root goal.
+
+## Context
+
+Zot currently has **no authentication** — security relies entirely on the Tailscale ACL boundary. Any tailnet client can push images, and tags are mutable.
+
+Both prerequisites from the original plan are now complete:
+- [[adopt-oidc-provider]] — Authentik is deployed and serving OIDC
+- [[adopt-dagger-ci]] — Dagger handles container builds
+
+## Core Change
+
+Update `ansible/roles/zot/templates/config.json.j2` to add:
+
+1. **`http.auth.openid`** — OIDC provider pointing to Authentik
+2. **`http.auth.apikey: true`** — enable API key generation for CI
+3. **`accessControl`** — anonymous read, authenticated write
+4. **`externalUrl`** — `https://registry.ops.eblu.me` for OIDC callback redirects
+
+## Key Files
+
+| File | Purpose |
+|------|---------|
+| `ansible/roles/zot/templates/config.json.j2` | Zot config — add auth + access control |
+| `ansible/roles/zot/defaults/main.yml` | New OIDC variables |
+| `ansible/roles/zot/tasks/main.yml` | Deploy OIDC credentials file |
+
+## Verification
+
+- [ ] Anonymous pull works (`curl -sf https://registry.ops.eblu.me/v2/_catalog`)
+- [ ] Unauthenticated push fails (401)
+- [ ] OIDC browser login works (redirect to Authentik and back)
+- [ ] API key push works (`docker login` with `zak_...` token)
+- [ ] Pull-through caching still works
+- [ ] `mise run services-check` passes
+
+## Related
+
+- [[register-zot-oidc-client]] — Prereq: register OIDC client in Authentik
+- [[wire-ci-registry-auth]] — Prereq: update CI push paths with credentials
+- [[enforce-tag-immutability]] — Prereq: prevent version tag overwrites
+- [[agent-change-process]] — C2 methodology