diff --git a/zot/helm-values.yaml b/zot/helm-values.yaml index e448acf..cf9e4b8 100644 --- a/zot/helm-values.yaml +++ b/zot/helm-values.yaml @@ -89,6 +89,13 @@ persistence: - path: /etc/zot/htpasswd subPath: htpasswd readOnly: true + oidc-credentials: + type: secret + name: zot-oidc-credentials + globalMounts: + - path: /etc/zot/oidc-credentials.json + subPath: credentials.json + readOnly: true configMaps: config: @@ -118,6 +125,17 @@ configMaps: "htpasswd": { "path": "/etc/zot/htpasswd" }, + "openid": { + "providers": { + "authelia": { + "name": "Authelia", + "issuer": "https://auth0213.kro.kr", + "clientid": "zot", + "scopes": ["openid", "profile", "email"], + "credentialsFile": "/etc/zot/oidc-credentials.json" + } + } + }, "sessionDriver": { "name": "redis", "url": "redis://authelia-redis-master.authelia.svc.cluster.local:6379", diff --git a/zot/manifests/secret.yaml b/zot/manifests/secret.yaml index a08e606..6db829d 100644 --- a/zot/manifests/secret.yaml +++ b/zot/manifests/secret.yaml @@ -16,3 +16,34 @@ spec: remoteRef: key: zot property: HTPASSWD +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: zot-oidc-secret + namespace: zot +spec: + refreshInterval: 1h + secretStoreRef: + kind: ClusterSecretStore + name: vault-backend + target: + name: zot-oidc-credentials + creationPolicy: Owner + template: + engineVersion: v2 + data: + credentials.json: | + { + "clientid": "{{ .client_id }}", + "clientsecret": "{{ .client_secret }}" + } + data: + - secretKey: client_id + remoteRef: + key: zot + property: OIDC_CLIENT_ID + - secretKey: client_secret + remoteRef: + key: zot + property: OIDC_CLIENT_SECRET