From 950604bf25e23c92d4e18a2db22d122f7b4f3444 Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Sat, 17 Jan 2026 13:47:24 -0800 Subject: [PATCH] Add tag:k8s grant for registry access (Woodpecker CI) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit K8s workloads (like Woodpecker CI) need to push/pull images from Zot. They'll get Tailscale identity via the operator (Phase 1) with tag:k8s. Added grant and test case for tag:k8s → tag:registry access. Co-Authored-By: Claude Opus 4.5 --- docs/k8s-migration.md | 29 ++++++++++++++++++++++++----- 1 file changed, 24 insertions(+), 5 deletions(-) diff --git a/docs/k8s-migration.md b/docs/k8s-migration.md index 4a84005..1d1dea5 100644 --- a/docs/k8s-migration.md +++ b/docs/k8s-migration.md @@ -91,7 +91,17 @@ This applies to all mcquack LaunchAgents (zot, devpi, kiwix, borgmatic, metrics "tag:k8s": ["autogroup:admin", "tag:blumeops"], ``` -2. Add test cases to `tests` section: +2. Add k8s→registry grant to `grants` section (around line 62, in the Infrastructure section): +```hujson +// k8s workloads (e.g., Woodpecker CI) can push/pull from registry +{ + "src": ["tag:k8s"], + "dst": ["tag:registry"], + "ip": ["tcp:443"], +}, +``` + +3. Add test cases to `tests` section: - Update Erich's accept list (around line 111) to include registry: ```hujson "accept": ["tag:grafana:443", "tag:kiwix:443", "tag:feed:443", "tag:loki:3100", "tag:pg:5432", "tag:homelab:22", "tag:registry:443"], @@ -100,14 +110,23 @@ This applies to all mcquack LaunchAgents (zot, devpi, kiwix, borgmatic, metrics ```hujson "deny": ["tag:grafana:443", "tag:loki:3100", "tag:nas:445", "tag:registry:443"], ``` + - Add k8s test case: + ```hujson + { + "src": "tag:k8s", + "accept": ["tag:registry:443"], + }, + ``` -**Note:** No member grant needed for registry. Admins already have access via `"dst": ["*"]`. -K8s on indri accesses the registry locally (`localhost:5000`), not via Tailscale. -Zot supports htpasswd auth if we later need finer-grained control. +**Note:** +- No member grant needed - admins have full access, members don't need registry +- `tag:k8s` grant allows Woodpecker CI (and other k8s workloads) to push/pull images +- K8s pods get Tailscale identity via the Tailscale Kubernetes Operator (Phase 1) +- Zot supports htpasswd auth if we later need finer-grained control **Testing:** ```bash -mise run tailnet-preview # Review changes - should show new tags +mise run tailnet-preview # Review changes - should show new tags and k8s grant mise run tailnet-up # Apply changes ```