eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/reference/services/zot.md
Erich Blume 57fd88b269 C0: fix op item edit syntax in zot key rotation 
The pbpaste | op item edit ... "field[password]=-" stdin syntax is
rejected by op 2.34 as "invalid JSON" — recent op versions treat
piped input as a full JSON template, not a single field value.
Procedure now uses an inline assignment via a local fish variable.
2026-05-22 21:50:43 -07:00

70 lines
2.6 KiB
Markdown
Raw Blame History

---
title: Zot
modified: 2026-03-14
tags:
- service
- registry
---
# Zot
OCI-native container registry providing pull-through cache and private image storage.
## Quick Reference
| Property | Value |
|----------|-------|
| **URL** | https://registry.ops.eblu.me |
| **Local Port** | 5050 |
| **Data** | `~/zot` |
| **Config** | `~/.config/zot/config.json` |
| **LaunchAgent** | mcquack |
## Namespace Convention
| Path | Source |
|------|--------|
| `registry.ops.eblu.me/docker.io/*` | Cached from Docker Hub |
| `registry.ops.eblu.me/ghcr.io/*` | Cached from GHCR |
| `registry.ops.eblu.me/quay.io/*` | Cached from Quay |
| `registry.ops.eblu.me/blumeops/*` | Private images |
## Pull-Through Cache
When [[cluster|minikube]] pulls an image, containerd checks zot first. If cached, returns immediately. If not, zot fetches from upstream, caches it, then returns.
## Security Model
OIDC authentication via [[authentik]], with API key support for CI. Three-tier access control:
| Role | Permissions | Use case |
|------|------------|----------|
| Anonymous | read | Pull images without auth |
| `artifact-workloads` group | read, create | CI push (new tags only, no overwrite/delete) |
| `admins` group | read, create, update, delete | Break-glass admin access |
CI authenticates with a zot API key generated from the `zot-ci` service account's OIDC session. The key is stored in the `Forgejo Secrets` 1Password item (field `zot-ci-api`) and synced to Forgejo Actions secrets via ansible.
## API Key Rotation
The `zot-ci` API key expires every **90 days**. To rotate:
1. In Authentik admin UI, impersonate the `zot-ci` user
2. Visit `https://registry.ops.eblu.me` — you'll land on the login page
3. Click "SIGN IN WITH OIDC" to authenticate as zot-ci
4. Navigate to `https://registry.ops.eblu.me/user/apikey`
5. Generate a new API key, copy it to clipboard
6. Update 1Password:
```fish
set -l NEWKEY (pbpaste); op item edit "Forgejo Secrets" --vault blumeops "zot-ci-api[password]=$NEWKEY"; set -e NEWKEY
```
The value is briefly visible to other `ps`-readers on this machine (single-user mac, acceptable tradeoff). The older `pbpaste | op item edit ... "field[password]=-"` stdin syntax was rejected by op 2.34 as "invalid JSON" — recent op versions treat piped input as a full JSON template.
7. Sync to Forgejo: `mise run provision-indri -- --tags forgejo_actions_secrets`
## Related
- [[forgejo]] - Container build CI
- [[cluster|Cluster]] - Registry consumer
- [[authentik]] - OIDC identity provider
- [[harden-zot-registry]] - Security hardening guide
- [[service-versions]] - Version tracking for deployed services
Reference in a new issue View git blame Copy permalink