Wire ArgoCD to Authentik OIDC #253

Merged
benvin merged 1 commits from benvin/argocd-oidc into main 2026-07-12 23:04:54 +10:00
Owner

Why

ArgoCD had no external ingress and only local admin auth. This exposes argocd-server behind the traefik-internal gateway and enables Authentik SSO, so operators log in with their Authentik identity and group membership. Pairs with unkin/terraform-authentik#3 (creates the OAuth2 provider).

Changes

  • argocd-cm: set url and oidc.config (Authentik issuer identity.unkin.net/application/o/argocd/, argocd client, openid/profile/email scopes). Client secret resolved from the argocd-oidc Secret via $argocd-oidc:client_secret.
  • argocd-rbac-cm: match RBAC on the groups claim; default role:readonly; map the argocd-admins Authentik group to role:admin.
  • argocd-cmd-params-cm: server.insecure=true so argocd-server serves HTTP behind the TLS-terminating gateway.
  • Add Gateway + HTTPRoutes for argocd.k8s.syd1.au.unkin.net (mirrors the grafana pattern: traefik-internal, vault-issuer cert, external-dns).
  • Add VaultAuth + VaultStaticSecret sourcing the OIDC client secret from kv/kubernetes/namespace/argocd/default/oauth-credentials into the argocd-oidc Secret (labelled part-of=argocd so ArgoCD will resolve the $ reference).

Notes / rollout

  • Seed the client secret in Vault out of band (same path terraform-authentik reads).
  • The argocd namespace default SA already has Vault read access via the default k8s role, so no terraform-vault change is needed.
  • argocd-server needs a one-time rollout restart to pick up server.insecure.

Validated with kustomize build --enable-helm clusters/au-syd1/bootstrap, make kubeconform, and pre-commit (yamllint + no-plain-secrets).

## Why ArgoCD had no external ingress and only local admin auth. This exposes `argocd-server` behind the traefik-internal gateway and enables Authentik SSO, so operators log in with their Authentik identity and group membership. Pairs with unkin/terraform-authentik#3 (creates the OAuth2 provider). ## Changes - **argocd-cm**: set `url` and `oidc.config` (Authentik issuer `identity.unkin.net/application/o/argocd/`, `argocd` client, openid/profile/email scopes). Client secret resolved from the `argocd-oidc` Secret via `$argocd-oidc:client_secret`. - **argocd-rbac-cm**: match RBAC on the `groups` claim; default `role:readonly`; map the `argocd-admins` Authentik group to `role:admin`. - **argocd-cmd-params-cm**: `server.insecure=true` so `argocd-server` serves HTTP behind the TLS-terminating gateway. - Add **Gateway + HTTPRoutes** for `argocd.k8s.syd1.au.unkin.net` (mirrors the grafana pattern: traefik-internal, vault-issuer cert, external-dns). - Add **VaultAuth + VaultStaticSecret** sourcing the OIDC client secret from `kv/kubernetes/namespace/argocd/default/oauth-credentials` into the `argocd-oidc` Secret (labelled `part-of=argocd` so ArgoCD will resolve the `$` reference). ## Notes / rollout - Seed the client secret in Vault out of band (same path terraform-authentik reads). - The argocd namespace `default` SA already has Vault read access via the `default` k8s role, so no terraform-vault change is needed. - `argocd-server` needs a one-time rollout restart to pick up `server.insecure`. Validated with `kustomize build --enable-helm clusters/au-syd1/bootstrap`, `make kubeconform`, and pre-commit (yamllint + no-plain-secrets).
unkinben added 1 commit 2026-07-12 22:32:12 +10:00
Wire ArgoCD to Authentik OIDC
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
bc81690d9f
ArgoCD had no external ingress and only local admin auth. This exposes
argocd-server behind the traefik-internal gateway and enables Authentik SSO,
so operators log in with their identity and group membership.

- argocd-cm: set url and oidc.config (Authentik issuer, argocd client,
  openid/profile/email scopes); client secret resolved from the argocd-oidc
  Secret via $argocd-oidc:client_secret
- argocd-rbac-cm: match on the groups claim; default role:readonly; map the
  argocd-admins Authentik group to role:admin
- argocd-cmd-params-cm: server.insecure=true so argocd-server serves HTTP
  behind the TLS-terminating gateway
- Add Gateway + HTTPRoutes for argocd.k8s.syd1.au.unkin.net (mirrors grafana)
- Add VaultAuth + VaultStaticSecret sourcing the OIDC client secret from
  kv/kubernetes/namespace/argocd/default/oauth-credentials into the
  argocd-oidc Secret (labelled part-of=argocd)

Note: the OIDC client secret must be seeded in Vault out of band, and
argocd-server needs a one-time rollout restart to pick up server.insecure.
benvin merged commit 1f4c0e11bb into main 2026-07-12 23:04:54 +10:00
benvin deleted branch benvin/argocd-oidc 2026-07-12 23:04:54 +10:00
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: unkin/argocd-apps#253