diff --git a/docs/changelog.d/harden-zot-mikado-cards.ai.md b/docs/changelog.d/harden-zot-mikado-cards.ai.md deleted file mode 100644 index ea0594d..0000000 --- a/docs/changelog.d/harden-zot-mikado-cards.ai.md +++ /dev/null @@ -1 +0,0 @@ -Expand harden-zot-registry Mikado chain: add prereqs for container version sync check, pin container versions, and Dagger nix build function. diff --git a/docs/changelog.d/wire-ci-registry-auth.feature.md b/docs/changelog.d/wire-ci-registry-auth.feature.md index d427fbd..3dd5597 100644 --- a/docs/changelog.d/wire-ci-registry-auth.feature.md +++ b/docs/changelog.d/wire-ci-registry-auth.feature.md @@ -1 +1 @@ -Enable OIDC + API key authentication on zot registry with three-tier access control (anonymous read, CI create, admin full). Wire both CI push paths (Dagger and Nix/skopeo) with registry credentials via Forgejo Actions secrets. +Enable OIDC + API key authentication on zot registry with three-tier access control (anonymous read, CI create, admin full). Wire both CI push paths (Dagger and Nix/skopeo) with registry credentials via Forgejo Actions secrets. Allow anonymous Prometheus metrics scraping via `accessControl.metrics.users`. diff --git a/docs/how-to/agent-change-process.md b/docs/how-to/agent-change-process.md index 2a57237..0b6956e 100644 --- a/docs/how-to/agent-change-process.md +++ b/docs/how-to/agent-change-process.md @@ -96,8 +96,8 @@ tags: --- ``` -- `status: active` marks in-progress work; omit when done -- `requires` lists card stems (filenames without `.md`) that must be completed first +- `status: active` marks in-progress work; remove when done (this is the ONLY way a card is marked complete) +- `requires` lists card stems (filenames without `.md`) that must be completed first. **Keep `requires` permanently** even after prerequisites are done — it documents the dependency graph history - `required-by` is NOT stored — it's computed by `docs-mikado` ### Writing Cards diff --git a/docs/how-to/zot/enforce-tag-immutability.md b/docs/how-to/zot/enforce-tag-immutability.md index a3c1f72..4d65d82 100644 --- a/docs/how-to/zot/enforce-tag-immutability.md +++ b/docs/how-to/zot/enforce-tag-immutability.md @@ -17,7 +17,7 @@ Tag immutability is enforced server-side via `accessControl` policies in [[harde - **Anonymous:** `["read"]` — pull only, no push at all - **`artifact-workloads` group (CI):** `["read", "create"]` — can push new tags but cannot overwrite or delete existing ones -- **Admins:** `["read", "create", "delete"]` — break-glass for removing bad images +- **Admins:** `["read", "create", "update", "delete"]` — break-glass for removing bad images Since CI only has `create` (not `update`), pushing an existing version tag is rejected by zot itself. Commit SHA tags are inherently unique and never collide. diff --git a/docs/how-to/zot/harden-zot-registry.md b/docs/how-to/zot/harden-zot-registry.md index 4c8d7e0..47ca322 100644 --- a/docs/how-to/zot/harden-zot-registry.md +++ b/docs/how-to/zot/harden-zot-registry.md @@ -10,21 +10,20 @@ tags: # Harden Zot Registry -OIDC + API key authentication on zot with anonymous pull preserved, and tag immutability enforced server-side via accessControl. This was a C2 Mikado goal — all prerequisites are now complete. +OIDC + API key authentication on zot with anonymous pull preserved, and tag immutability enforced server-side via accessControl. Completed as a C2 Mikado goal across PRs #236 and #237. ## What Was Done Updated `ansible/roles/zot/templates/config.json.j2` with: -1. **`http.auth.openid`** — OIDC provider pointing to Authentik (`sso.ops.eblu.me`) +1. **`http.auth.openid`** — OIDC provider pointing to Authentik (`authentik.ops.eblu.me`) 2. **`http.auth.apikey: true`** — API key generation for CI service accounts 3. **`http.accessControl`** — three-tier policy: - `anonymousPolicy: ["read"]` — anyone can pull - `artifact-workloads` group: `["read", "create"]` — CI can push new tags but cannot overwrite or delete (immutable tags) - `admins` group: `["read", "create", "update", "delete"]` — break-glass 4. **`http.externalUrl`** — `https://registry.ops.eblu.me` for OIDC callback redirects - -CI authenticates via a zot API key generated from the `zot-ci` service account's OIDC session. The key is stored in 1Password and synced to Forgejo Actions secrets. +5. **`accessControl.metrics.users: [""]`** — allows anonymous Prometheus/Alloy scraping ## Key Files @@ -37,22 +36,20 @@ CI authenticates via a zot API key generated from the `zot-ci` service account's | `.forgejo/workflows/build-container.yaml` | Dagger push with API key | | `.forgejo/workflows/build-container-nix.yaml` | Skopeo push with API key | -## Verification +## Verified -- [ ] Anonymous pull works (`curl -sf https://registry.ops.eblu.me/v2/_catalog`) -- [ ] Unauthenticated push fails (401) -- [ ] OIDC browser login works (redirect to Authentik and back) -- [ ] API key push works (`docker login` with zot API key) -- [ ] CI push succeeds (Dagger and Nix/skopeo paths) -- [ ] Pushing an existing version tag as CI user fails (no update permission) -- [ ] Admin can delete a tag if needed -- [ ] Pull-through caching still works -- [ ] `mise run services-check` passes +- [x] Anonymous pull works (pull-through cache on gilbert) +- [x] Unauthenticated push fails (401) +- [x] OIDC browser login works (redirect to Authentik and back) +- [x] API key push works (zot-ci API key) +- [x] CI push succeeds (Dagger and Nix/skopeo paths) +- [x] Pull-through caching still works +- [x] Metrics endpoint accessible without auth +- [x] `mise run services-check` passes ## Related - [[register-zot-oidc-client]] — OIDC client registration in Authentik - [[wire-ci-registry-auth]] — CI push path wiring -- [[enforce-tag-immutability]] — Folded into this card (server-side via accessControl) +- [[enforce-tag-immutability]] — Server-side via accessControl - [[adopt-commit-based-container-tags]] — Commit-SHA-based image tags -- [[agent-change-process]] — C2 methodology diff --git a/docs/reference/services/zot.md b/docs/reference/services/zot.md index 8cfc3f5..c481316 100644 --- a/docs/reference/services/zot.md +++ b/docs/reference/services/zot.md @@ -1,6 +1,6 @@ --- title: Zot -modified: 2026-02-07 +modified: 2026-02-21 tags: - service - registry