Zot
Zot is the OCI-native container registry used by Cogrion to host platform and workspace container images. Every image consumed by a tenant cluster — whether it runs the Control Plane, a workspace stack, or a user-built application — is pulled from Zot.
Why Zot
Zot is purpose-built for the OCI distribution spec, runs as a single binary, and stores its data in object storage rather than a local filesystem. This makes it well-suited to the platform's stateless, S3-backed deployment model. Unlike general-purpose registries, Zot also exposes a built-in UI and supports OpenID-based authentication out of the box, allowing it to integrate cleanly with Keycloak.
Authentication
Zot is a Keycloak client. Users sign in to the Zot UI through the same identity flow used for the rest of the platform — there is no separate registry account. A local password-file account is also retained as a break-glass mechanism for admin recovery.
For tools that cannot perform a browser-based login — for example docker push or CI pipelines — Zot issues per-user API keys that act as long-lived credentials scoped to that user's permissions.
Storage
Image blobs and manifests are stored in an S3 bucket. The Zot pod itself is stateless and can be rescheduled without data loss. A small local volume is mounted only as scratch space for in-flight uploads.
How It Relates to Other Services
| Service | Relationship |
|---|---|
| Keycloak | Issues the tokens used to authenticate users into the Zot UI. |
| Control Plane | Pulls platform component images from Zot when provisioning or upgrading workspaces. |
| Cluster Agent | Pulls workspace stack images from Zot during in-cluster deployments. |
Go Deeper
- Core Platform → Keycloak
- Tenant Platform → Cluster Agent
- Platform Developer → Authoring Bundles
Implementation
Zot is deployed via the project-zot/zot Helm chart managed by ArgoCD. Configuration lives in the sparqd-gitops-master repository.