Commit Graph

14 Commits

Author SHA1 Message Date
unkinben 92af7c2e92 Add ArgoCD OAuth2/OIDC provider
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline failed
Extends Authentik SSO to ArgoCD so cluster operators log in with their
Authentik identity and group membership instead of the local admin account.

- Add config/providers_oauth2/argocd.yaml: confidential OAuth2 provider +
  application (slug argocd), client_id argocd, openid/email/profile scopes,
  web SSO and CLI (localhost:8085) redirect URIs. client_secret is read from
  Vault at kv/kubernetes/namespace/argocd/default/oauth-credentials, matching
  the existing Grafana pattern.
2026-07-12 22:31:27 +10:00
benvin 9e75f39a06 Merge pull request 'Initial scaffold' (#1) from benvin/initial-scaffold into main
ci/woodpecker/push/apply Pipeline was successful
Reviewed-on: #1
2026-07-06 23:52:04 +10:00
benvin 11a25fdca0 Merge pull request 'authentik: add Grafana OAuth2/OIDC provider' (#2) from benvin/grafana-oidc into benvin/initial-scaffold
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
Reviewed-on: #2
2026-07-06 23:50:13 +10:00
unkinben 0b1b67fbd5 ci: re-run after vault #82 applied (token + oauth read policy live)
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
2026-07-06 23:44:04 +10:00
unkinben 93742883a5 fix: skip_child_token on vault provider
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was canceled
The CI VAULT_TOKEN (short-lived k8s-auth role token) can't create child
tokens, so the vault provider failed with 'failed to create limited child
token: permission denied'. Use the token directly.
2026-07-06 23:43:16 +10:00
unkinben d96d36a079 makefile: source TF_VAR_authentik_token from vault (kv/service/terraform/authentik)
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline failed
The authentik provider needs a token but nothing supplied it, so plan
failed with 'No value for required variable authentik_token'. Source it
from Vault in vault_env like the consul creds, from the dedicated
terraform-service path kv/service/terraform/authentik (field: token),
overridable via AUTHENTIK_TOKEN_KV_* vars.
2026-07-06 23:32:21 +10:00
unkinben 41cc0fce8b ci: re-run plan on fixed head (duplicate required_providers resolved)
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline failed
2026-07-06 23:17:37 +10:00
unkinben d1aef45d1d fix: drop duplicate required_providers from generated backend.tf
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was canceled
The module's versions.tf and the root.hcl-generated backend.tf both
declared required_providers, which OpenTofu rejects ("A module may have
only one required providers configuration"), so terragrunt init/plan
failed. Keep them in the module's versions.tf (authentik + vault) and
generate only the backend + provider blocks.
2026-07-06 23:12:43 +10:00
unkinben 3d7131032f ci: re-run plan after terraform-vault kv policy applied
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline failed
2026-07-06 23:08:03 +10:00
unkinben 97be93a9ff authentik: add Grafana OAuth2/OIDC provider + application
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline failed
Adds an OIDC provider + application so the in-cluster Grafana
(grafana.k8s.syd1.au.unkin.net) can authenticate users against Authentik.

Extends the oauth2 module so provider config stays declarative and
secret-free:
- Resolve authorization/invalidation flows by slug (data.authentik_flow)
  and scope mappings by managed identifier
  (data.authentik_property_mapping_provider_scope).
- Read client_secret from Vault kv-v2 (data.vault_kv_secret_v2) instead of
  committing it; adds the hashicorp/vault provider (auth via VAULT_ADDR/
  VAULT_TOKEN from the Makefile).
- Support allowed_redirect_uris on the oauth2 provider.

config/providers_oauth2/grafana.yaml wires client_id `grafana`, the
openid/email/profile scopes, the login/generic_oauth redirect URI, and
points client_secret at kv/kubernetes/namespace/grafana/default/oauth-credentials.
2026-07-06 22:06:48 +10:00
unkinben 00a122135e Use identity.k8s.syd1.au.unkin.net as provider endpoint
ci/woodpecker/pr/plan Pipeline failed
ci/woodpecker/pr/pre-commit Pipeline was successful
2026-06-28 12:11:47 +10:00
unkinben 8aa2273dcf Fix provider schema for goauthentik/authentik 2026.5.0
ci/woodpecker/pr/plan Pipeline failed
ci/woodpecker/pr/pre-commit Pipeline was successful
- group: parent → parents (list)
- saml/oauth2: add required invalidation_flow
- oauth2: remove redirect_uris (use allowed_redirect_uris via config)
- ldap: replace authorization_flow/search_group with bind_flow/unbind_flow
- Add versions.tf with required_providers block
- Remove service_connection from outpost (auto-discovered)
2026-06-28 12:04:19 +10:00
unkinben 4042760a16 Initial scaffold
ci/woodpecker/pr/plan Pipeline failed
ci/woodpecker/pr/pre-commit Pipeline failed
- Terraform module for groups, SAML/OAuth2/LDAP providers, applications, and LDAP outposts
- Data-driven YAML config with Terragrunt config loader
- Environment: identity.unkin.net with Consul backend
- Provider: goauthentik/authentik 2026.5.0
- Woodpecker CI pipelines (pre-commit, plan, apply)
- Makefile with Vault AppRole and K8s auth support
2026-06-28 11:55:26 +10:00
gitadmin 2d87c83ab9 Initial commit 2026-06-28 01:00:14 +10:00