bc81690d9f
ArgoCD had no external ingress and only local admin auth. This exposes argocd-server behind the traefik-internal gateway and enables Authentik SSO, so operators log in with their identity and group membership. - argocd-cm: set url and oidc.config (Authentik issuer, argocd client, openid/profile/email scopes); client secret resolved from the argocd-oidc Secret via $argocd-oidc:client_secret - argocd-rbac-cm: match on the groups claim; default role:readonly; map the argocd-admins Authentik group to role:admin - argocd-cmd-params-cm: server.insecure=true so argocd-server serves HTTP behind the TLS-terminating gateway - Add Gateway + HTTPRoutes for argocd.k8s.syd1.au.unkin.net (mirrors grafana) - Add VaultAuth + VaultStaticSecret sourcing the OIDC client secret from kv/kubernetes/namespace/argocd/default/oauth-credentials into the argocd-oidc Secret (labelled part-of=argocd) Note: the OIDC client secret must be seeded in Vault out of band, and argocd-server needs a one-time rollout restart to pick up server.insecure.
26 lines
781 B
YAML
26 lines
781 B
YAML
---
|
|
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: argocd-cm
|
|
namespace: argocd
|
|
data:
|
|
kustomize.buildOptions: "--enable-helm"
|
|
# External URL ArgoCD serves on (TLS terminated at the traefik-internal gateway).
|
|
url: https://argocd.k8s.syd1.au.unkin.net
|
|
# OIDC login via Authentik. The client secret is seeded in Vault out of band
|
|
# and surfaced as the `argocd-oidc` Secret (labelled part-of=argocd) by VSO;
|
|
# `$argocd-oidc:client_secret` resolves the key from that Secret.
|
|
oidc.config: |
|
|
name: Authentik
|
|
issuer: https://identity.unkin.net/application/o/argocd/
|
|
clientID: argocd
|
|
clientSecret: $argocd-oidc:client_secret
|
|
requestedScopes:
|
|
- openid
|
|
- profile
|
|
- email
|
|
requestedIDTokenClaims:
|
|
groups:
|
|
essential: true
|