From 1fc0b70e1a52a0ddaea3a64d7614a8901e1a4e13 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 12 Jul 2026 22:31:27 +1000 Subject: [PATCH 1/2] Add ArgoCD OAuth2/OIDC provider Extends Authentik SSO to ArgoCD so cluster operators log in with their Authentik identity and group membership instead of the local admin account. - Add config/providers_oauth2/argocd.yaml: confidential OAuth2 provider + application (slug argocd), client_id argocd, openid/email/profile scopes, web SSO and CLI (localhost:8085) redirect URIs. client_secret is read from Vault at kv/kubernetes/namespace/argocd/default/oauth-credentials, matching the existing Grafana pattern. --- config/providers_oauth2/argocd.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 config/providers_oauth2/argocd.yaml diff --git a/config/providers_oauth2/argocd.yaml b/config/providers_oauth2/argocd.yaml new file mode 100644 index 0000000..0033295 --- /dev/null +++ b/config/providers_oauth2/argocd.yaml @@ -0,0 +1,21 @@ +# OAuth2/OIDC provider + application for the in-cluster ArgoCD +# (argocd.k8s.syd1.au.unkin.net). client_secret is read from Vault, not committed. +name: ArgoCD +authorization_flow: default-provider-authorization-implicit-consent +invalidation_flow: default-provider-invalidation-flow +client_type: confidential +client_id: argocd +client_secret_vault: + mount: kv + path: kubernetes/namespace/argocd/default/oauth-credentials +scope_mappings: + - goauthentik.io/providers/oauth2/scope-openid + - goauthentik.io/providers/oauth2/scope-email + - goauthentik.io/providers/oauth2/scope-profile +redirect_uris: + # Web UI SSO callback. + - matching_mode: strict + url: https://argocd.k8s.syd1.au.unkin.net/auth/callback + # `argocd login --sso` CLI callback (local listener). + - matching_mode: strict + url: http://localhost:8085/auth/callback From c62fdb574a0953705b15c17ba6fed1f1b56a2c6a Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 12 Jul 2026 22:36:03 +1000 Subject: [PATCH 2/2] Add argocd-admins group Declaratively manage the group that argocd-rbac-cm maps to role:admin, so onboarding ArgoCD SSO does not require creating the group by hand in the UI. --- config/groups/argocd-admins.yaml | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 config/groups/argocd-admins.yaml diff --git a/config/groups/argocd-admins.yaml b/config/groups/argocd-admins.yaml new file mode 100644 index 0000000..0b49b57 --- /dev/null +++ b/config/groups/argocd-admins.yaml @@ -0,0 +1,3 @@ +# Members of this group get ArgoCD role:admin (mapped in argocd-rbac-cm). +# Everyone else who logs in via Authentik gets role:readonly. +name: argocd-admins