Wire ArgoCD to Authentik OIDC
ArgoCD had no external ingress and only local admin auth. This exposes argocd-server behind the traefik-internal gateway and enables Authentik SSO, so operators log in with their identity and group membership. - argocd-cm: set url and oidc.config (Authentik issuer, argocd client, openid/profile/email scopes); client secret resolved from the argocd-oidc Secret via $argocd-oidc:client_secret - argocd-rbac-cm: match on the groups claim; default role:readonly; map the argocd-admins Authentik group to role:admin - argocd-cmd-params-cm: server.insecure=true so argocd-server serves HTTP behind the TLS-terminating gateway - Add Gateway + HTTPRoutes for argocd.k8s.syd1.au.unkin.net (mirrors grafana) - Add VaultAuth + VaultStaticSecret sourcing the OIDC client secret from kv/kubernetes/namespace/argocd/default/oauth-credentials into the argocd-oidc Secret (labelled part-of=argocd) Note: the OIDC client secret must be seeded in Vault out of band, and argocd-server needs a one-time rollout restart to pick up server.insecure.
This commit is contained in:
@@ -0,0 +1,23 @@
|
||||
---
|
||||
apiVersion: secrets.hashicorp.com/v1beta1
|
||||
kind: VaultStaticSecret
|
||||
metadata:
|
||||
name: argocd-oidc
|
||||
namespace: argocd
|
||||
spec:
|
||||
vaultAuthRef: default
|
||||
mount: kv
|
||||
type: kv-v2
|
||||
# Seeded out of band; same secret is read by terraform-authentik to configure
|
||||
# the provider's client_secret. Key: client_secret.
|
||||
path: kubernetes/namespace/argocd/default/oauth-credentials
|
||||
refreshAfter: 5m
|
||||
hmacSecretData: true
|
||||
destination:
|
||||
name: argocd-oidc
|
||||
create: true
|
||||
overwrite: true
|
||||
# ArgoCD only resolves `$secret:key` references against Secrets carrying
|
||||
# this label.
|
||||
labels:
|
||||
app.kubernetes.io/part-of: argocd
|
||||
Reference in New Issue
Block a user