Commit Graph

9 Commits

Author SHA1 Message Date
unkinben bc81690d9f Wire ArgoCD to Authentik OIDC
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
ArgoCD had no external ingress and only local admin auth. This exposes
argocd-server behind the traefik-internal gateway and enables Authentik SSO,
so operators log in with their identity and group membership.

- argocd-cm: set url and oidc.config (Authentik issuer, argocd client,
  openid/profile/email scopes); client secret resolved from the argocd-oidc
  Secret via $argocd-oidc:client_secret
- argocd-rbac-cm: match on the groups claim; default role:readonly; map the
  argocd-admins Authentik group to role:admin
- argocd-cmd-params-cm: server.insecure=true so argocd-server serves HTTP
  behind the TLS-terminating gateway
- Add Gateway + HTTPRoutes for argocd.k8s.syd1.au.unkin.net (mirrors grafana)
- Add VaultAuth + VaultStaticSecret sourcing the OIDC client secret from
  kv/kubernetes/namespace/argocd/default/oauth-credentials into the
  argocd-oidc Secret (labelled part-of=argocd)

Note: the OIDC client secret must be seeded in Vault out of band, and
argocd-server needs a one-time rollout restart to pick up server.insecure.
2026-07-12 22:31:37 +10:00
unkinben 1cefd3b78e feat: change argocd crds source to artifactapi (#118)
- migrate argocd crds to come from the artifactapi service

Reviewed-on: #118
2026-05-10 21:12:44 +10:00
unkinben 842d774fc3 feat: deploy gatewayapi crds (#117)
- enable gateway api crds

Reviewed-on: #117
2026-05-10 21:05:56 +10:00
unkinben dd0e297c14 chore: mount vault CA for helm TLS trust and add ArgoCD self-management (#112)
- Patch argocd-repo-server to mount vault-ca-cert and set SSL_CERT_DIR
  so helm subprocesses trust the internal CA when pulling charts
- Add argocd Application pointing at clusters/au-syd1/bootstrap so
  ArgoCD manages its own install going forward

Reviewed-on: #112
2026-05-03 22:47:53 +10:00
unkinben 6fb98d66b0 chore: add vault CA cert to argocd-tls-certs-cm for helm TLS trust (#111)
Patches argocd-tls-certs-cm with the Vault CA chain so ArgoCD can
verify TLS when pulling Helm charts from artifactapi.k8s.syd1.au.unkin.net.

Reviewed-on: #111
2026-05-03 17:13:25 +10:00
unkinben 563b81c5d2 feat: updates for artifactapi (#21)
- remove replicas (rely on horizontal-pod-scaler)
- add raw.githubusercontent.com remote

Reviewed-on: #21
2026-03-07 00:49:30 +11:00
unkinben c23fb413f8 chore: enable helm (#3)
- enable helm for argocd

Reviewed-on: #3
2026-03-01 15:11:09 +11:00
unkinben 4ebdfbaff4 feat: add root-app for au-syd1 (#1)
enable argocd to self-deploy using the app of apps method

- add root-application deployed from bootstrap process

Reviewed-on: #1
2026-03-01 14:45:29 +11:00
unkinben 971835f845 feat: initial commit
- add structure to clusters, apps and argocd objects
- add bootstrapping features
2026-03-01 14:31:16 +11:00