eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Add tag:k8s grant for registry access (Woodpecker CI)

Browse source 
K8s workloads (like Woodpecker CI) need to push/pull images from Zot.
They'll get Tailscale identity via the operator (Phase 1) with tag:k8s.
Added grant and test case for tag:k8s → tag:registry access.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Erich Blume 2026-01-17 13:47:24 -08:00
commit 950604bf25
1 changed files with 24 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

29
docs/k8s-migration.md
View file

@ -91,7 +91,17 @@ This applies to all mcquack LaunchAgents (zot, devpi, kiwix, borgmatic, metrics
"tag:k8s": ["autogroup:admin", "tag:blumeops"],
```
2. Add test cases to `tests` section:
2. Add k8s→registry grant to `grants` section (around line 62, in the Infrastructure section):
```hujson
// k8s workloads (e.g., Woodpecker CI) can push/pull from registry
{
"src": ["tag:k8s"],
"dst": ["tag:registry"],
"ip": ["tcp:443"],
},
```
3. Add test cases to `tests` section:
- Update Erich's accept list (around line 111) to include registry:
```hujson
"accept": ["tag:grafana:443", "tag:kiwix:443", "tag:feed:443", "tag:loki:3100", "tag:pg:5432", "tag:homelab:22", "tag:registry:443"],
@ -100,14 +110,23 @@ This applies to all mcquack LaunchAgents (zot, devpi, kiwix, borgmatic, metrics
```hujson
"deny": ["tag:grafana:443", "tag:loki:3100", "tag:nas:445", "tag:registry:443"],
```
- Add k8s test case:
```hujson
{
"src": "tag:k8s",
"accept": ["tag:registry:443"],
},
```
**Note:** No member grant needed for registry. Admins already have access via `"dst": ["*"]`.
K8s on indri accesses the registry locally (`localhost:5000`), not via Tailscale.
Zot supports htpasswd auth if we later need finer-grained control.
**Note:**
- No member grant needed - admins have full access, members don't need registry
- `tag:k8s` grant allows Woodpecker CI (and other k8s workloads) to push/pull images
- K8s pods get Tailscale identity via the Tailscale Kubernetes Operator (Phase 1)
- Zot supports htpasswd auth if we later need finer-grained control
**Testing:**
```bash
mise run tailnet-preview # Review changes - should show new tags
mise run tailnet-preview # Review changes - should show new tags and k8s grant
mise run tailnet-up # Apply changes
```