From 1fc0b70e1a52a0ddaea3a64d7614a8901e1a4e13 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 12 Jul 2026 22:31:27 +1000 Subject: [PATCH] Add ArgoCD OAuth2/OIDC provider Extends Authentik SSO to ArgoCD so cluster operators log in with their Authentik identity and group membership instead of the local admin account. - Add config/providers_oauth2/argocd.yaml: confidential OAuth2 provider + application (slug argocd), client_id argocd, openid/email/profile scopes, web SSO and CLI (localhost:8085) redirect URIs. client_secret is read from Vault at kv/kubernetes/namespace/argocd/default/oauth-credentials, matching the existing Grafana pattern. --- config/providers_oauth2/argocd.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 config/providers_oauth2/argocd.yaml diff --git a/config/providers_oauth2/argocd.yaml b/config/providers_oauth2/argocd.yaml new file mode 100644 index 0000000..0033295 --- /dev/null +++ b/config/providers_oauth2/argocd.yaml @@ -0,0 +1,21 @@ +# OAuth2/OIDC provider + application for the in-cluster ArgoCD +# (argocd.k8s.syd1.au.unkin.net). client_secret is read from Vault, not committed. +name: ArgoCD +authorization_flow: default-provider-authorization-implicit-consent +invalidation_flow: default-provider-invalidation-flow +client_type: confidential +client_id: argocd +client_secret_vault: + mount: kv + path: kubernetes/namespace/argocd/default/oauth-credentials +scope_mappings: + - goauthentik.io/providers/oauth2/scope-openid + - goauthentik.io/providers/oauth2/scope-email + - goauthentik.io/providers/oauth2/scope-profile +redirect_uris: + # Web UI SSO callback. + - matching_mode: strict + url: https://argocd.k8s.syd1.au.unkin.net/auth/callback + # `argocd login --sso` CLI callback (local listener). + - matching_mode: strict + url: http://localhost:8085/auth/callback