eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/how-to/zot/register-zot-oidc-client.md
Erich Blume 379bcb98af Create C2 Mikado cards for harden-zot-registry (#229) 
## Summary
- Replace the old pre-Mikado plan doc (`docs/how-to/plans/harden-zot-registry.md`) with a proper C2 Mikado chain in `docs/how-to/zot/`
- Root goal: `harden-zot-registry` — enable OIDC + API key auth on zot with anonymous pull preserved
- Three leaf prereqs: `register-zot-oidc-client`, `wire-ci-registry-auth`, `enforce-tag-immutability`
- Add Zot section to `how-to.md` index, remove plan entry from plans index
- All doc checks pass (`docs-check-links`, `docs-check-index`, `docs-mikado`)

## Changes
- **New:** `docs/how-to/zot/harden-zot-registry.md` — C2 Mikado root goal
- **New:** `docs/how-to/zot/register-zot-oidc-client.md` — Register OIDC client in Authentik
- **New:** `docs/how-to/zot/wire-ci-registry-auth.md` — Wire CI push paths with registry auth
- **New:** `docs/how-to/zot/enforce-tag-immutability.md` — Prevent version tag overwrites
- **Deleted:** `docs/how-to/plans/harden-zot-registry.md` — Old plan doc (content absorbed into Mikado cards)
- **Updated:** `docs/how-to/how-to.md` — Add Zot section, remove plan entry
- **Updated:** `docs/how-to/plans/plans.md` — Remove plan entry

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/229
2026-02-20 17:56:25 -08:00

1.9 KiB
Raw Blame History

title modified status tags
Register Zot OIDC Client 2026-02-20 active
how-to
zot
authentik
oidc

Register Zot OIDC Client

Register a zot OAuth2 provider and application in Authentik via blueprint, following the same pattern as Grafana and Forgejo.

What to Do

  1. Add zot.yaml blueprint section to argocd/manifests/authentik/configmap-blueprint.yaml:

    • OAuth2Provider: client_id: zot, redirect URI https://registry.ops.eblu.me/zot/auth/callback/oidc
    • Application linked to the provider
    • PolicyBinding restricting access to the admins group

  2. Generate and store client secret in 1Password item "Authentik (blumeops)" as field zot-client-secret

  3. Add AUTHENTIK_ZOT_CLIENT_SECRET to Authentik worker's ExternalSecret at argocd/manifests/authentik/external-secret.yaml

  4. Blueprint references the secret via !Env AUTHENTIK_ZOT_CLIENT_SECRET

  5. Create OIDC credentials file for zot's Ansible role:

    • New template ansible/roles/zot/templates/oidc-credentials.json.j2 containing client_id and client_secret
    • Source client_secret from 1Password via a new pre_task in ansible/playbooks/indri.yml

Key Files

File Purpose
argocd/manifests/authentik/configmap-blueprint.yaml Add zot blueprint (provider + app + policy)
argocd/manifests/authentik/external-secret.yaml Add AUTHENTIK_ZOT_CLIENT_SECRET env var
ansible/roles/zot/templates/oidc-credentials.json.j2 New: OIDC credentials for zot
ansible/playbooks/indri.yml New pre_task for zot OIDC client secret

Verification

  • Authentik admin UI shows zot application
  • OIDC discovery endpoint includes zot client
  • Blueprint status is successful (check via API, not just logs)

Related