eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Register Zot as OIDC client in Authentik #236

Merged
eblume merged 1 commit from register-zot-oidc-client into main 2026-02-21 08:45:07 -08:00
Conversation 0 Commits 1 Files changed 7 +116
eblume commented 2026-02-21 08:26:19 -08:00
Owner
Copy link

Summary

  • Add Authentik blueprint (zot.yaml) with OAuth2 provider, application, artifact-workloads group, and zot-ci service account
  • Wire zot-client-secret through ExternalSecret → worker Deployment env var → blueprint !Env
  • Add Ansible pre_task to fetch OIDC secret from 1Password (item ID oor7os5kapczgpbwv7obkca4y4)
  • Add oidc-credentials.json.j2 template and deploy task in zot role (with when guard)

Manual Steps Required Before Deploy

  1. Generate client secret: openssl rand -hex 32
  2. Store in 1Password: add field zot-client-secret to "Authentik (blumeops)" item in vault blumeops

What This Does NOT Do

  • Does NOT modify config.json.j2 (that's the root goal harden-zot-registry)
  • Does NOT wire CI auth (that's wire-ci-registry-auth)
  • Does NOT set service account password or API keys (manual post-deploy)

Verification

After ArgoCD sync:

  • Authentik admin UI shows "Zot Registry" application
  • OIDC discovery at https://authentik.ops.eblu.me/application/o/zot/.well-known/openid-configuration returns valid JSON
  • Blueprint status is successful
  • artifact-workloads group exists with zot-ci service account

🤖 Generated with Claude Code

## Summary - Add Authentik blueprint (`zot.yaml`) with OAuth2 provider, application, `artifact-workloads` group, and `zot-ci` service account - Wire `zot-client-secret` through ExternalSecret → worker Deployment env var → blueprint `!Env` - Add Ansible pre_task to fetch OIDC secret from 1Password (item ID `oor7os5kapczgpbwv7obkca4y4`) - Add `oidc-credentials.json.j2` template and deploy task in zot role (with `when` guard) ## Manual Steps Required Before Deploy 1. Generate client secret: `openssl rand -hex 32` 2. Store in 1Password: add field `zot-client-secret` to "Authentik (blumeops)" item in vault `blumeops` ## What This Does NOT Do - Does NOT modify `config.json.j2` (that's the root goal `harden-zot-registry`) - Does NOT wire CI auth (that's `wire-ci-registry-auth`) - Does NOT set service account password or API keys (manual post-deploy) ## Verification After ArgoCD sync: - [ ] Authentik admin UI shows "Zot Registry" application - [ ] OIDC discovery at `https://authentik.ops.eblu.me/application/o/zot/.well-known/openid-configuration` returns valid JSON - [ ] Blueprint status is `successful` - [ ] `artifact-workloads` group exists with `zot-ci` service account 🤖 Generated with [Claude Code](https://claude.com/claude-code)
Add Authentik blueprint for Zot with OAuth2 provider, application,
artifact-workloads group, and zot-ci service account. Wire the client
secret through ExternalSecret and worker deployment env var. Add Ansible
pre_task to fetch the OIDC secret from 1Password and a template task
to deploy oidc-credentials.json to indri.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
eblume merged commit 21b6533aea into main 2026-02-21 08:45:07 -08:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
eblume/blumeops!236
No description provided.