Erich Blume
ff63679efb
## Summary - Enable OIDC + API key authentication on zot registry with three-tier accessControl - `anonymousPolicy: ["read"]` — anyone can pull - `artifact-workloads` group: `["read", "create"]` — CI push, no overwrite/delete - `admins` group: `["read", "create", "update", "delete"]` — break-glass - Wire both CI push paths (Dagger and Nix/skopeo) with `ZOT_CI_API_KEY` credentials - Add `artifact-workloads` PolicyBinding in Authentik blueprint for zot app access - Add `ZOT_CI_API_KEY` to Forgejo Actions secrets via existing ansible role Completes the `wire-ci-registry-auth` and `harden-zot-registry` Mikado cards. ## Manual Deployment Steps (after merge) 1. Deploy Authentik blueprint: `argocd app sync authentik` 2. In Authentik admin UI: set a password for the `zot-ci` service account 3. Deploy zot config: `mise run provision-indri -- --tags zot` 4. Log in to `https://registry.ops.eblu.me` as `zot-ci` via OIDC → generate API key 5. Store API key in 1Password as `zot-ci-apikey` in blumeops vault 6. Sync Forgejo secrets: `mise run provision-indri -- --tags forgejo_actions_secrets` 7. Trigger a test container build to verify CI push 8. Verify anonymous pull: `curl -sf https://registry.ops.eblu.me/v2/_catalog` ## Uncertainties - **Zot `accessControl` group matching with OIDC:** Groups from Authentik's `profile` scope claim should map to zot policy groups, but the exact claim-to-group matching needs runtime verification - **`http.auth.apikey: true`:** This config key is documented but needs verification against the specific zot version built from source on indri - **API key permissions:** Need to confirm zot API keys inherit the generating user's group for accessControl evaluation ## Test Plan - [ ] `mise run provision-indri -- --check --diff --tags zot` shows expected config changes - [ ] Anonymous pull works after deploy - [ ] Unauthenticated push fails (401) - [ ] OIDC browser login redirects to Authentik and back - [ ] API key push works after key generation - [ ] CI push succeeds with both Dagger and skopeo paths - [ ] `mise run services-check` passes 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/237
2.5 KiB
2.5 KiB
| title | modified | tags | ||||
|---|---|---|---|---|---|---|
| Harden Zot Registry | 2026-02-21 |
|
Harden Zot Registry
OIDC + API key authentication on zot with anonymous pull preserved, and tag immutability enforced server-side via accessControl. This was a C2 Mikado goal — all prerequisites are now complete.
What Was Done
Updated ansible/roles/zot/templates/config.json.j2 with:
http.auth.openid— OIDC provider pointing to Authentik (sso.ops.eblu.me)http.auth.apikey: true— API key generation for CI service accountshttp.accessControl— three-tier policy:anonymousPolicy: ["read"]— anyone can pullartifact-workloadsgroup:["read", "create"]— CI can push new tags but cannot overwrite or delete (immutable tags)adminsgroup:["read", "create", "update", "delete"]— break-glass
http.externalUrl—https://registry.ops.eblu.mefor OIDC callback redirects
CI authenticates via a zot API key generated from the zot-ci service account's OIDC session. The key is stored in 1Password and synced to Forgejo Actions secrets.
Key Files
| File | Purpose |
|---|---|
ansible/roles/zot/templates/config.json.j2 |
Zot config with auth + access control |
ansible/roles/zot/defaults/main.yml |
OIDC issuer and external URL variables |
ansible/roles/zot/templates/oidc-credentials.json.j2 |
OIDC client credentials |
.dagger/src/blumeops_ci/main.py |
publish() with registry auth |
.forgejo/workflows/build-container.yaml |
Dagger push with API key |
.forgejo/workflows/build-container-nix.yaml |
Skopeo push with API key |
Verification
- Anonymous pull works (
curl -sf https://registry.ops.eblu.me/v2/_catalog) - Unauthenticated push fails (401)
- OIDC browser login works (redirect to Authentik and back)
- API key push works (
docker loginwith zot API key) - CI push succeeds (Dagger and Nix/skopeo paths)
- Pushing an existing version tag as CI user fails (no update permission)
- Admin can delete a tag if needed
- Pull-through caching still works
mise run services-checkpasses
Related
- register-zot-oidc-client — OIDC client registration in Authentik
- wire-ci-registry-auth — CI push path wiring
- enforce-tag-immutability — Folded into this card (server-side via accessControl)
- adopt-commit-based-container-tags — Commit-SHA-based image tags
- agent-change-process — C2 methodology