Skip to content

Self-hosted registry for OpenTofu & Terraform

A Kubernetes-native module and provider registry with zero extra infrastructure. Authentication, RBAC, and self-healing come free โ€” no database, no API keys, no separate identity store.

Get Started  โ†’ View on GitHub
No Database Self-Healing Multi-Cloud Storage Tamper-Resistant Kubernetes-Native OIDC SSO Fine-Grained Access Policies Trivy Scanning Pre-signed Redirects
OpenDepot logo

Home

Why OpenDepot?

Enterprise registries like JFrog Artifactory and HCP Terraform charge for features that should come standard โ€” vulnerability scanning, automatic version discovery, and secure auth. They also bring heavyweight operational baggage: external databases, proprietary identity stores, and infrastructure your team has to maintain.

OpenDepot is free, open source, and Kubernetes-native. It ships all of those features out of the box, is designed around OIDC as the preferred authentication path, and keeps the server read-only by design. Kubernetes RBAC remains the authorization layer for create, update, and delete operations, and deployment still requires nothing beyond a Helm chart and a storage backend.

  •  OIDC Single Sign-On (SSO)

    First-class support for the OpenTofu login flow via the bundled Dex subchart. Connect any OIDC-compatible identity provider โ€” GitHub, Entra ID, Okta, or static passwords โ€” and let tofu login handle credential acquisition automatically.

  •  Security First

    OIDC is the preferred authentication path (via Dex and your upstream IdP), while the server stays read-only by design. Kubernetes RBAC authorizes create, update, and delete operations โ€” no proprietary tokens, no user database, no extra identity store.

  •  Self-Healing

    Declarative controllers continuously reconcile toward desired state. Transient errors retry with exponential backoff. Applying the same manifest twice is a no-op.

  •  No Database Required

    The Kubernetes API is the datastore. No PostgreSQL, no Redis, no external dependencies โ€” just a Helm chart and a storage backend.

  •  Multi-Cloud Storage

    S3, Azure Blob, Google Cloud Storage, and local filesystem โ€” all supported out of the box with SDK-native authentication chains.

  •  Automatic Version Discovery

    The Depot controller queries the GitHub Releases API for modules and the HashiCorp Releases API for providers, resolves your version constraints, and creates resources automatically.

  •  Tamper-Resistant Checksums

    Checksums are written to Kubernetes status subresources (protected by RBAC) and verified on every reconciliation โ€” not just at upload time.

  •  Built-In Vulnerability Scanning

    The Version controller runs Trivy automatically on every provider binary, provider source (go.mod), and module archive. Findings are stored on the Kubernetes resource and can optionally block promotion of critical or high severity artifacts.

  •  Zero-Egress Provider Downloads

    Enable pre-signed URL redirects so OpenTofu fetches provider binaries directly from S3, GCS, or Azure Blob โ€” no bandwidth through the server, no extra hops, no infrastructure bottleneck.

How OpenDepot Compares

Feature OpenDepot (OSS) HCP Terraform Registry JFrog Artifactory GitLab Terraform Registry Harbor / OCI Registry Terrarium / Tapir / Hermit (OSS)
License Apache 2.0 (Free, OSS) Commercial SaaS/Enterprise Commercial (Paid) GitLab EE/CE (Mixed) Apache 2.0 (OSS) OSS (varies)
Auth K8s RBAC + OIDC (Dex) HCP tokens, SSO Artifactory tokens, SSO GitLab users Registry users/OIDC API keys, basic auth
Database Required No (K8s API) SaaS-managed/PostgreSQL Yes (external DB) Yes Yes Yes
Deployment Helm chart, K8s-native SaaS / Enterprise on-prem Docker/K8s/VM SaaS or self-hosted Docker/K8s Docker/K8s
Self-healing Yes (controller loop) Partial (SaaS-managed) No No No No
Multi-cloud Storage S3, Azure, GCS, FS SaaS-managed S3, Azure, GCS S3, GCS, Filesystem S3, GCS, Azure, Filesystem S3, GCS, Filesystem
Version Discovery Automatic (GitHub/HC) VCS-connected/manual Manual upload/API Manual/CI Manual/CI Manual upload
Immutability Checksum every reconcile At upload only Repo-level flag At upload only At upload only At upload only
Air-gapped Support Yes (FS + PVC) Enterprise only Yes Yes Yes Yes
Vuln Scanning Built-in (Trivy) No Paid add-on (Xray) No No No
Pre-signed URLs Yes (S3, GCS, Azure) No Yes (CDN) No No No
Provider Support Yes Yes Yes No No No (modules only)
tofu login Flow Yes (Dex, login.v1) Yes Yes No No No
Open Source Yes No No Partial Yes Yes

Tip

Enterprise registries charge for features OpenDepot ships for free โ€” automatic version discovery, built-in vulnerability scanning, and Kubernetes-native auth with no external identity store. If you're already running Kubernetes, OpenDepot gives you all of that with no license fees, no extra infrastructure, and no extra attack surface.

How It Works

%%{init: {'flowchart': {'defaultRenderer': 'elk'}} }%%
graph TD
    CLI["OpenTofu / Terraform CLI"]

    Server["Server โ€” Registry Protocol API\nService Discovery ยท List Versions\nDownload Redirect ยท GPG-signed SHA256SUMS"]

    Dex["Dex\nOIDC Identity Broker"]
    IdP["Upstream IdP\nGitHub ยท Entra ID ยท Okta"]

    Depot["Depot\nController"]
    SyncBus[" "]:::hidden
    Module["Module\nController"]
    Provider["Provider\nController"]
    Version["Version\nController"]

    Storage[("Storage Backend\nS3 ยท Azure ยท GCS ยท Filesystem")]

    GitHub["GitHub\nReleases API"]
    HashiCorp["HashiCorp\nReleases API"]

    CLI -->|"tofu login (authz / device code)"| Dex
    Dex -->|"federates auth"| IdP
    Server -.->|"JWKS fetch at startup"| Dex

    CLI -->|"HTTP requests (JWT bearer)"| Server
    Server -->|"reads Module + Provider"| Module & Provider

    Depot -->|queries| GitHub
    Depot -->|queries| HashiCorp
    Depot -->|creates / updates| SyncBus
    SyncBus --> Module
    SyncBus --> Provider

    Module -->|creates Version resources| Version
    Provider -->|creates Version resources| Version

    Version -->|fetches archives| GitHub
    Version -->|fetches binaries| HashiCorp
    Version -->|uploads to| Storage

    classDef hidden fill:none,stroke:none,color:transparent;

See Architecture for a detailed description of each controller and the full reconciliation event flow.

Next Steps

  •  Install with Helm

    Deploy OpenDepot to your cluster in minutes.

  •  Local Quickstart

    Run a fully functional registry locally with kind โ€” no cloud account needed.

  •  Architecture

    Understand how the four services interact and reconcile.

  •  Guides

    GitOps, CI/CD, Depot, provider consumption, and migration workflows.