Erich Blume
379bcb98af
## Summary - Replace the old pre-Mikado plan doc (`docs/how-to/plans/harden-zot-registry.md`) with a proper C2 Mikado chain in `docs/how-to/zot/` - Root goal: `harden-zot-registry` — enable OIDC + API key auth on zot with anonymous pull preserved - Three leaf prereqs: `register-zot-oidc-client`, `wire-ci-registry-auth`, `enforce-tag-immutability` - Add Zot section to `how-to.md` index, remove plan entry from plans index - All doc checks pass (`docs-check-links`, `docs-check-index`, `docs-mikado`) ## Changes - **New:** `docs/how-to/zot/harden-zot-registry.md` — C2 Mikado root goal - **New:** `docs/how-to/zot/register-zot-oidc-client.md` — Register OIDC client in Authentik - **New:** `docs/how-to/zot/wire-ci-registry-auth.md` — Wire CI push paths with registry auth - **New:** `docs/how-to/zot/enforce-tag-immutability.md` — Prevent version tag overwrites - **Deleted:** `docs/how-to/plans/harden-zot-registry.md` — Old plan doc (content absorbed into Mikado cards) - **Updated:** `docs/how-to/how-to.md` — Add Zot section, remove plan entry - **Updated:** `docs/how-to/plans/plans.md` — Remove plan entry 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/229
2 KiB
2 KiB
| title | modified | status | requires | tags | |||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Harden Zot Registry | 2026-02-20 | active |
|
|
Harden Zot Registry
Enable OIDC + API key authentication on zot with anonymous pull preserved, and enforce tag immutability for version tags. This is the C2 Mikado root goal.
Context
Zot currently has no authentication — security relies entirely on the Tailscale ACL boundary. Any tailnet client can push images, and tags are mutable.
Both prerequisites from the original plan are now complete:
- adopt-oidc-provider — Authentik is deployed and serving OIDC
- adopt-dagger-ci — Dagger handles container builds
Core Change
Update ansible/roles/zot/templates/config.json.j2 to add:
http.auth.openid— OIDC provider pointing to Authentikhttp.auth.apikey: true— enable API key generation for CIaccessControl— anonymous read, authenticated writeexternalUrl—https://registry.ops.eblu.mefor OIDC callback redirects
Key Files
| File | Purpose |
|---|---|
ansible/roles/zot/templates/config.json.j2 |
Zot config — add auth + access control |
ansible/roles/zot/defaults/main.yml |
New OIDC variables |
ansible/roles/zot/tasks/main.yml |
Deploy OIDC credentials file |
Verification
- Anonymous pull works (
curl -sf https://registry.ops.eblu.me/v2/_catalog) - Unauthenticated push fails (401)
- OIDC browser login works (redirect to Authentik and back)
- API key push works (
docker loginwithzak_...token) - Pull-through caching still works
mise run services-checkpasses
Related
- register-zot-oidc-client — Prereq: register OIDC client in Authentik
- wire-ci-registry-auth — Prereq: update CI push paths with credentials
- enforce-tag-immutability — Prereq: prevent version tag overwrites
- agent-change-process — C2 methodology