Compare commits
8 Commits
4a2e9675b7
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
| 4dadd1f4ab | |||
| a6dca8eb96 | |||
| 3af322dff3 | |||
| c62fdb574a | |||
| 1fc0b70e1a | |||
| 5faa2f84f6 | |||
| 58b200c512 | |||
| 7636d45f21 |
@@ -0,0 +1,3 @@
|
|||||||
|
# Members of this group get ArgoCD role:admin (mapped in argocd-rbac-cm).
|
||||||
|
# Everyone else who logs in via Authentik gets role:readonly.
|
||||||
|
name: argocd-admins
|
||||||
@@ -0,0 +1,21 @@
|
|||||||
|
# OAuth2/OIDC provider + application for the in-cluster ArgoCD
|
||||||
|
# (argocd.k8s.syd1.au.unkin.net). client_secret is read from Vault, not committed.
|
||||||
|
name: ArgoCD
|
||||||
|
authorization_flow: default-provider-authorization-implicit-consent
|
||||||
|
invalidation_flow: default-provider-invalidation-flow
|
||||||
|
client_type: confidential
|
||||||
|
client_id: argocd
|
||||||
|
client_secret_vault:
|
||||||
|
mount: kv
|
||||||
|
path: kubernetes/namespace/argocd/default/oauth-credentials
|
||||||
|
scope_mappings:
|
||||||
|
- goauthentik.io/providers/oauth2/scope-openid
|
||||||
|
- goauthentik.io/providers/oauth2/scope-email
|
||||||
|
- goauthentik.io/providers/oauth2/scope-profile
|
||||||
|
redirect_uris:
|
||||||
|
# Web UI SSO callback.
|
||||||
|
- matching_mode: strict
|
||||||
|
url: https://argocd.k8s.syd1.au.unkin.net/auth/callback
|
||||||
|
# `argocd login --sso` CLI callback (local listener).
|
||||||
|
- matching_mode: strict
|
||||||
|
url: http://localhost:8085/auth/callback
|
||||||
@@ -3,7 +3,7 @@ resource "authentik_group" "this" {
|
|||||||
|
|
||||||
name = each.value.name
|
name = each.value.name
|
||||||
is_superuser = each.value.is_superuser
|
is_superuser = each.value.is_superuser
|
||||||
parents = each.value.parents != null ? [for p in each.value.parents : authentik_group.this[p].id] : []
|
parents = each.value.parents
|
||||||
attributes = jsonencode(each.value.attributes)
|
attributes = jsonencode(each.value.attributes)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -2,6 +2,8 @@ variable "groups" {
|
|||||||
type = map(object({
|
type = map(object({
|
||||||
name = string
|
name = string
|
||||||
is_superuser = optional(bool, false)
|
is_superuser = optional(bool, false)
|
||||||
|
# PKs of existing parent groups. These must be literal group PKs, not keys
|
||||||
|
# into this map: authentik_group cannot reference itself.
|
||||||
parents = optional(list(string), null)
|
parents = optional(list(string), null)
|
||||||
attributes = optional(map(string), {})
|
attributes = optional(map(string), {})
|
||||||
}))
|
}))
|
||||||
@@ -38,9 +40,12 @@ variable "providers_oauth2" {
|
|||||||
# Managed identifiers of scope property mappings (e.g.
|
# Managed identifiers of scope property mappings (e.g.
|
||||||
# goauthentik.io/providers/oauth2/scope-openid). Resolved to ids.
|
# goauthentik.io/providers/oauth2/scope-openid). Resolved to ids.
|
||||||
scope_mappings = optional(list(string), [])
|
scope_mappings = optional(list(string), [])
|
||||||
|
# allowed_redirect_uris is list(map(string)); the API always stores a
|
||||||
|
# redirect_uri_type key, so it must be set here or every plan drifts.
|
||||||
redirect_uris = optional(list(object({
|
redirect_uris = optional(list(object({
|
||||||
matching_mode = optional(string, "strict")
|
matching_mode = optional(string, "strict")
|
||||||
url = string
|
url = string
|
||||||
|
redirect_uri_type = optional(string, "authorization")
|
||||||
})), [])
|
})), [])
|
||||||
signing_key = optional(string, null)
|
signing_key = optional(string, null)
|
||||||
access_token_validity = optional(string, "minutes=10")
|
access_token_validity = optional(string, "minutes=10")
|
||||||
|
|||||||
Reference in New Issue
Block a user