Files
argocd-apps/clusters/au-syd1/bootstrap/argocd-cm-patch.yaml
T
unkinben bc81690d9f
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/kubeconform Pipeline was successful
Wire ArgoCD to Authentik OIDC
ArgoCD had no external ingress and only local admin auth. This exposes
argocd-server behind the traefik-internal gateway and enables Authentik SSO,
so operators log in with their identity and group membership.

- argocd-cm: set url and oidc.config (Authentik issuer, argocd client,
  openid/profile/email scopes); client secret resolved from the argocd-oidc
  Secret via $argocd-oidc:client_secret
- argocd-rbac-cm: match on the groups claim; default role:readonly; map the
  argocd-admins Authentik group to role:admin
- argocd-cmd-params-cm: server.insecure=true so argocd-server serves HTTP
  behind the TLS-terminating gateway
- Add Gateway + HTTPRoutes for argocd.k8s.syd1.au.unkin.net (mirrors grafana)
- Add VaultAuth + VaultStaticSecret sourcing the OIDC client secret from
  kv/kubernetes/namespace/argocd/default/oauth-credentials into the
  argocd-oidc Secret (labelled part-of=argocd)

Note: the OIDC client secret must be seeded in Vault out of band, and
argocd-server needs a one-time rollout restart to pick up server.insecure.
2026-07-12 22:31:37 +10:00

26 lines
781 B
YAML

---
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
namespace: argocd
data:
kustomize.buildOptions: "--enable-helm"
# External URL ArgoCD serves on (TLS terminated at the traefik-internal gateway).
url: https://argocd.k8s.syd1.au.unkin.net
# OIDC login via Authentik. The client secret is seeded in Vault out of band
# and surfaced as the `argocd-oidc` Secret (labelled part-of=argocd) by VSO;
# `$argocd-oidc:client_secret` resolves the key from that Secret.
oidc.config: |
name: Authentik
issuer: https://identity.unkin.net/application/o/argocd/
clientID: argocd
clientSecret: $argocd-oidc:client_secret
requestedScopes:
- openid
- profile
- email
requestedIDTokenClaims:
groups:
essential: true