https://blogs.law.harvard.edu/tech/rss https://this-is-fine.io/tags/zot/ Recent content in Zot on Fuchsbau https://this-is-fine.io/tags/zot/ https://source.unsplash.com/2000x1322/?fox 1440 Hugo 0.125.4 de-DE Wed, 20 May 2026 22:26:12 UT https://this-is-fine.io/posts/20251122-pocket-id-oidc-zot/ Sat, 22 Nov 2025 11:00:00 UT ff0x https://this-is-fine.io/posts/20251122-pocket-id-oidc-zot/ Pocket ID is a small OpenID Connect provider — enough for a homelab without Keycloak. The lab runs it at https://auth.this-is-fine.io with Flux and an HTTPRoute on Envoy Gateway. Below is how Zot uses native OpenID against that issuer. If you already run a homelab IdP, the interesting part is how little application code must change when the app speaks OIDC natively. Zot is a clear example: configure issuer URL, client ID, and redirect URIs, mount a secret, and the registry UI handles login without an OAuth sidecar in front of it. Infrastructure https://this-is-fine.io/posts/20251122-zot-instead-of-harbor/ Sat, 22 Nov 2025 10:00:00 UT ff0x https://this-is-fine.io/posts/20251122-zot-instead-of-harbor/ Harbor is a full registry product: scanning, replication, projects, and several backing services. On aarch64 it is also heavy, and it was a poor fit for four RK1 boards (ARM support is still catching up). After moving Talos from x86-64 to ARM64, Harbor stayed disabled in Git; Zot serves oci.this-is-fine.io instead. Harbor shines when you want built-in scanning UI, replication policies, and a large operations surface. The lab mainly needed push, pull, sign, and admit — a smaller registry that speaks OCI and runs comfortably on ARM boards was the better fit. Infrastructure https://this-is-fine.io/posts/20251121-cosign-kyverno-zeroclaw/ Fri, 21 Nov 2025 12:00:00 UT ff0x https://this-is-fine.io/posts/20251121-cosign-kyverno-zeroclaw/ For images you build yourself, a practical supply-chain loop is: build in CI, sign the digest, verify at admission. The lab uses Cosign (Sigstore), a private Zot registry at oci.this-is-fine.io, and Kyverno verifyImages so unsigned ZeroClaw pods do not start. CI holds the private signing key; the cluster policy carries the matching public key. Signing answers a simple question: did this image come from your build pipeline? Scanning for CVEs is still worth doing, but signature verification stops casual image substitution even when a tag name looks familiar. Infrastructure Security