Erich Blume
21b6533aea
## Summary - Add Authentik blueprint (`zot.yaml`) with OAuth2 provider, application, `artifact-workloads` group, and `zot-ci` service account - Wire `zot-client-secret` through ExternalSecret → worker Deployment env var → blueprint `!Env` - Add Ansible pre_task to fetch OIDC secret from 1Password (item ID `oor7os5kapczgpbwv7obkca4y4`) - Add `oidc-credentials.json.j2` template and deploy task in zot role (with `when` guard) ## Manual Steps Required Before Deploy 1. Generate client secret: `openssl rand -hex 32` 2. Store in 1Password: add field `zot-client-secret` to "Authentik (blumeops)" item in vault `blumeops` ## What This Does NOT Do - Does NOT modify `config.json.j2` (that's the root goal `harden-zot-registry`) - Does NOT wire CI auth (that's `wire-ci-registry-auth`) - Does NOT set service account password or API keys (manual post-deploy) ## Verification After ArgoCD sync: - [ ] Authentik admin UI shows "Zot Registry" application - [ ] OIDC discovery at `https://authentik.ops.eblu.me/application/o/zot/.well-known/openid-configuration` returns valid JSON - [ ] Blueprint status is `successful` - [ ] `artifact-workloads` group exists with `zot-ci` service account 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/236
74 lines
2.1 KiB
YAML
74 lines
2.1 KiB
YAML
---
|
|
# Note: Zot is built from source, not installed via homebrew.
|
|
#
|
|
# ONE-TIME SETUP (before running ansible):
|
|
#
|
|
# 1. Clone zot from forge mirror (use localhost:3001 - hairpinning doesn't work):
|
|
# ssh indri 'git clone http://localhost:3001/eblume/zot.git ~/code/3rd/zot'
|
|
#
|
|
# 2. Set up Go via mise:
|
|
# ssh indri 'cd ~/code/3rd/zot && mise use go@1.25'
|
|
#
|
|
# 3. Build (creates bin/zot-darwin-arm64):
|
|
# ssh indri 'cd ~/code/3rd/zot && mise x -- make binary'
|
|
#
|
|
# 4. Run ansible to deploy config and LaunchAgent
|
|
|
|
- name: Verify zot binary exists
|
|
ansible.builtin.stat:
|
|
path: "{{ zot_binary }}"
|
|
register: zot_binary_stat
|
|
|
|
- name: Fail if zot binary not found
|
|
ansible.builtin.fail:
|
|
msg: |
|
|
Zot binary not found at {{ zot_binary }}.
|
|
Please build from source first:
|
|
ssh indri 'cd ~/code/3rd/zot && mise x -- make binary'
|
|
when: not zot_binary_stat.stat.exists
|
|
|
|
- name: Ensure zot data directory exists
|
|
ansible.builtin.file:
|
|
path: "{{ zot_data_dir }}"
|
|
state: directory
|
|
mode: '0755'
|
|
|
|
- name: Ensure zot config directory exists
|
|
ansible.builtin.file:
|
|
path: "{{ zot_config_dir }}"
|
|
state: directory
|
|
mode: '0755'
|
|
|
|
- name: Deploy zot config
|
|
ansible.builtin.template:
|
|
src: config.json.j2
|
|
dest: "{{ zot_config_dir }}/config.json"
|
|
mode: '0644'
|
|
notify: Restart zot
|
|
|
|
- name: Deploy zot OIDC credentials
|
|
ansible.builtin.template:
|
|
src: oidc-credentials.json.j2
|
|
dest: "{{ zot_config_dir }}/oidc-credentials.json"
|
|
mode: '0600'
|
|
notify: Restart zot
|
|
when: zot_oidc_client_secret is defined
|
|
|
|
- name: Deploy zot LaunchAgent plist
|
|
ansible.builtin.template:
|
|
src: zot.plist.j2
|
|
dest: ~/Library/LaunchAgents/mcquack.eblume.zot.plist
|
|
mode: '0644'
|
|
notify: Restart zot
|
|
|
|
- name: Check if zot LaunchAgent is loaded
|
|
ansible.builtin.command: launchctl list mcquack.eblume.zot
|
|
register: zot_launchctl_check
|
|
changed_when: false
|
|
failed_when: false
|
|
|
|
- name: Load zot LaunchAgent if not loaded
|
|
ansible.builtin.command: launchctl load ~/Library/LaunchAgents/mcquack.eblume.zot.plist
|
|
when: zot_launchctl_check.rc != 0
|
|
changed_when: true
|
|
failed_when: false
|