ArgoCD had no external ingress and only local admin auth. This exposes
argocd-server behind the traefik-internal gateway and enables Authentik SSO,
so operators log in with their identity and group membership.
- argocd-cm: set url and oidc.config (Authentik issuer, argocd client,
openid/profile/email scopes); client secret resolved from the argocd-oidc
Secret via $argocd-oidc:client_secret
- argocd-rbac-cm: match on the groups claim; default role:readonly; map the
argocd-admins Authentik group to role:admin
- argocd-cmd-params-cm: server.insecure=true so argocd-server serves HTTP
behind the TLS-terminating gateway
- Add Gateway + HTTPRoutes for argocd.k8s.syd1.au.unkin.net (mirrors grafana)
- Add VaultAuth + VaultStaticSecret sourcing the OIDC client secret from
kv/kubernetes/namespace/argocd/default/oauth-credentials into the
argocd-oidc Secret (labelled part-of=argocd)
Note: the OIDC client secret must be seeded in Vault out of band, and
argocd-server needs a one-time rollout restart to pick up server.insecure.