Wire ArgoCD to Authentik OIDC (#253)

## Why

ArgoCD had no external ingress and only local admin auth. This exposes `argocd-server` behind the traefik-internal gateway and enables Authentik SSO, so operators log in with their Authentik identity and group membership. Pairs with unkin/terraform-authentik#3 (creates the OAuth2 provider).

## Changes

- **argocd-cm**: set `url` and `oidc.config` (Authentik issuer `identity.unkin.net/application/o/argocd/`, `argocd` client, openid/profile/email scopes). Client secret resolved from the `argocd-oidc` Secret via `$argocd-oidc:client_secret`.
- **argocd-rbac-cm**: match RBAC on the `groups` claim; default `role:readonly`; map the `argocd-admins` Authentik group to `role:admin`.
- **argocd-cmd-params-cm**: `server.insecure=true` so `argocd-server` serves HTTP behind the TLS-terminating gateway.
- Add **Gateway + HTTPRoutes** for `argocd.k8s.syd1.au.unkin.net` (mirrors the grafana pattern: traefik-internal, vault-issuer cert, external-dns).
- Add **VaultAuth + VaultStaticSecret** sourcing the OIDC client secret from `kv/kubernetes/namespace/argocd/default/oauth-credentials` into the `argocd-oidc` Secret (labelled `part-of=argocd` so ArgoCD will resolve the `$` reference).

## Notes / rollout

- Seed the client secret in Vault out of band (same path terraform-authentik reads).
- The argocd namespace `default` SA already has Vault read access via the `default` k8s role, so no terraform-vault change is needed.
- `argocd-server` needs a one-time rollout restart to pick up `server.insecure`.

Validated with `kustomize build --enable-helm clusters/au-syd1/bootstrap`, `make kubeconform`, and pre-commit (yamllint + no-plain-secrets).

Reviewed-on: #253
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
This commit was merged in pull request #253.
This commit is contained in:
2026-07-12 23:04:53 +10:00
committed by BenVincent
parent 1f22ec2aa7
commit 1f4c0e11bb
8 changed files with 189 additions and 0 deletions
@@ -6,3 +6,20 @@ metadata:
namespace: argocd
data:
kustomize.buildOptions: "--enable-helm"
# External URL ArgoCD serves on (TLS terminated at the traefik-internal gateway).
url: https://argocd.k8s.syd1.au.unkin.net
# OIDC login via Authentik. The client secret is seeded in Vault out of band
# and surfaced as the `argocd-oidc` Secret (labelled part-of=argocd) by VSO;
# `$argocd-oidc:client_secret` resolves the key from that Secret.
oidc.config: |
name: Authentik
issuer: https://identity.unkin.net/application/o/argocd/
clientID: argocd
clientSecret: $argocd-oidc:client_secret
requestedScopes:
- openid
- profile
- email
requestedIDTokenClaims:
groups:
essential: true