Add ArgoCD OAuth2/OIDC provider

Extends Authentik SSO to ArgoCD so cluster operators log in with their
Authentik identity and group membership instead of the local admin account.

- Add config/providers_oauth2/argocd.yaml: confidential OAuth2 provider +
  application (slug argocd), client_id argocd, openid/email/profile scopes,
  web SSO and CLI (localhost:8085) redirect URIs. client_secret is read from
  Vault at kv/kubernetes/namespace/argocd/default/oauth-credentials, matching
  the existing Grafana pattern.
This commit is contained in:
2026-07-12 22:31:27 +10:00
parent 58b200c512
commit 1fc0b70e1a
+21
View File
@@ -0,0 +1,21 @@
# OAuth2/OIDC provider + application for the in-cluster ArgoCD
# (argocd.k8s.syd1.au.unkin.net). client_secret is read from Vault, not committed.
name: ArgoCD
authorization_flow: default-provider-authorization-implicit-consent
invalidation_flow: default-provider-invalidation-flow
client_type: confidential
client_id: argocd
client_secret_vault:
mount: kv
path: kubernetes/namespace/argocd/default/oauth-credentials
scope_mappings:
- goauthentik.io/providers/oauth2/scope-openid
- goauthentik.io/providers/oauth2/scope-email
- goauthentik.io/providers/oauth2/scope-profile
redirect_uris:
# Web UI SSO callback.
- matching_mode: strict
url: https://argocd.k8s.syd1.au.unkin.net/auth/callback
# `argocd login --sso` CLI callback (local listener).
- matching_mode: strict
url: http://localhost:8085/auth/callback