ArgoCD had no external ingress and only local admin auth. This exposes
argocd-server behind the traefik-internal gateway and enables Authentik SSO,
so operators log in with their identity and group membership.
- argocd-cm: set url and oidc.config (Authentik issuer, argocd client,
openid/profile/email scopes); client secret resolved from the argocd-oidc
Secret via $argocd-oidc:client_secret
- argocd-rbac-cm: match on the groups claim; default role:readonly; map the
argocd-admins Authentik group to role:admin
- argocd-cmd-params-cm: server.insecure=true so argocd-server serves HTTP
behind the TLS-terminating gateway
- Add Gateway + HTTPRoutes for argocd.k8s.syd1.au.unkin.net (mirrors grafana)
- Add VaultAuth + VaultStaticSecret sourcing the OIDC client secret from
kv/kubernetes/namespace/argocd/default/oauth-credentials into the
argocd-oidc Secret (labelled part-of=argocd)
Note: the OIDC client secret must be seeded in Vault out of band, and
argocd-server needs a one-time rollout restart to pick up server.insecure.
- Patch argocd-repo-server to mount vault-ca-cert and set SSL_CERT_DIR
so helm subprocesses trust the internal CA when pulling charts
- Add argocd Application pointing at clusters/au-syd1/bootstrap so
ArgoCD manages its own install going forward
Reviewed-on: #112
Patches argocd-tls-certs-cm with the Vault CA chain so ArgoCD can
verify TLS when pulling Helm charts from artifactapi.k8s.syd1.au.unkin.net.
Reviewed-on: #111