diff --git a/services/keycloak/kustomization.yaml b/services/keycloak/kustomization.yaml
index a65715c..89f9d46 100644
--- a/services/keycloak/kustomization.yaml
+++ b/services/keycloak/kustomization.yaml
@@ -8,3 +8,4 @@ resources:
   - deployment.yaml
   - service.yaml
   - ingress.yaml
+  - zot-client-bootstrap.yaml
diff --git a/services/vault/ingress.yaml b/services/vault/ingress.yaml
index 26c9b16..cbc0a74 100644
--- a/services/vault/ingress.yaml
+++ b/services/vault/ingress.yaml
@@ -7,10 +7,10 @@ metadata:
   annotations:
     kubernetes.io/ingress.class: traefik
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
-    traefik.ingress.kubernetes.io/router.middlewares: vault-vault-login-redirect@kubernetescrd
+    traefik.ingress.kubernetes.io/router.middlewares: vault-login-redirect@kubernetescrd
     traefik.ingress.kubernetes.io/router.tls: "true"
     traefik.ingress.kubernetes.io/service.serversscheme: https
-    traefik.ingress.kubernetes.io/service.serverstransport: vault-vault-to-https@kubernetescrd
+    traefik.ingress.kubernetes.io/service.serverstransport: vault-to-https@kubernetescrd
 spec:
   ingressClassName: traefik
   tls:
diff --git a/services/vault/oidc-bootstrap-job.yaml b/services/vault/oidc-bootstrap-job.yaml
index 059434a..94f3eb5 100644
--- a/services/vault/oidc-bootstrap-job.yaml
+++ b/services/vault/oidc-bootstrap-job.yaml
@@ -2,7 +2,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: vault-oidc-bootstrap
+  name: vault-oidc-bootstrap-2
   namespace: vault
   labels:
     app: vault-oidc-bootstrap
@@ -76,4 +76,6 @@ spec:
               }
               EOF
               vault write auth/oidc/role/admin @/tmp/role.json
+              # Make OIDC the default UI login method
+              vault write sys/config/ui default_auth_method="oidc"
               echo "vault OIDC bootstrap complete"