eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/how-to/zot/harden-zot-registry.md
Erich Blume 215ebef73e Update docs for Dagger module restructure 
- Update dagger.md reference card: new module name, source path,
  container build types table, container-version function
- Update build-container-image.md: container.py as preferred for indri,
  default.nix for ringtail, navidrome as reference pattern
- Update upgrade-dagger.md: uv.lock path (no longer under .dagger/)
- Update .dagger/src/blumeops_ci path references across 5 how-to docs
- Update container-version-check and pin-container-versions docs
- Update mise-tasks reference
- Set modified: 2026-04-11 on all changed docs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-11 17:09:51 -07:00

2.2 KiB
Raw Blame History

title modified tags
Harden Zot Registry 2026-04-11
how-to
zot
registry
security

Harden Zot Registry

OIDC + API key authentication on zot with anonymous pull preserved, and tag immutability enforced server-side via accessControl. Completed as a C2 Mikado goal across PRs #236 and #237.

What Was Done

Updated ansible/roles/zot/templates/config.json.j2 with:

  1. http.auth.openid — OIDC provider pointing to Authentik (authentik.ops.eblu.me)
  2. http.auth.apikey: true — API key generation for CI service accounts
  3. http.accessControl — three-tier policy:
    • anonymousPolicy: ["read"] — anyone can pull
    • artifact-workloads group: ["read", "create"] — CI can push new tags but cannot overwrite or delete (immutable tags)
    • admins group: ["read", "create", "update", "delete"] — break-glass
  4. http.externalUrlhttps://registry.ops.eblu.me for OIDC callback redirects
  5. accessControl.metrics.users: [""] — allows anonymous Prometheus/Alloy scraping

Key Files

File Purpose
ansible/roles/zot/templates/config.json.j2 Zot config with auth + access control
ansible/roles/zot/defaults/main.yml OIDC issuer and external URL variables
ansible/roles/zot/templates/oidc-credentials.json.j2 OIDC client credentials
src/blumeops/main.py publish() with registry auth
.forgejo/workflows/build-container.yaml Dagger push with API key
.forgejo/workflows/build-container-nix.yaml Skopeo push with API key

Verified

  • Anonymous pull works (pull-through cache on gilbert)
  • Unauthenticated push fails (401)
  • OIDC browser login works (redirect to Authentik and back)
  • API key push works (zot-ci API key)
  • CI push succeeds (Dagger and Nix/skopeo paths)
  • Pull-through caching still works
  • Metrics endpoint accessible without auth
  • mise run services-check passes

Related