Compare commits

...

3 Commits

Author SHA1 Message Date
unkinben 67310cdb79 Fix self-referential authentik_group parents
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was canceled
Adding the first managed group (argocd-admins) exposed a dormant bug: the
groups resource resolved `parents` by indexing authentik_group.this itself,
which OpenTofu rejects as a self-referential block. config/groups/ had been
empty, so `tofu plan` never hit it before.

Pass `parents` through as literal group PKs instead (the resource cannot
reference itself, so parent-by-map-key was never viable). Plan is clean:
3 to add (argocd provider, application, argocd-admins group).
2026-07-12 22:41:56 +10:00
unkinben 4a2e9675b7 Add argocd-admins group
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline failed
Declaratively manage the group that argocd-rbac-cm maps to role:admin, so
onboarding ArgoCD SSO does not require creating the group by hand in the UI.
2026-07-12 22:36:03 +10:00
unkinben 92af7c2e92 Add ArgoCD OAuth2/OIDC provider
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline failed
Extends Authentik SSO to ArgoCD so cluster operators log in with their
Authentik identity and group membership instead of the local admin account.

- Add config/providers_oauth2/argocd.yaml: confidential OAuth2 provider +
  application (slug argocd), client_id argocd, openid/email/profile scopes,
  web SSO and CLI (localhost:8085) redirect URIs. client_secret is read from
  Vault at kv/kubernetes/namespace/argocd/default/oauth-credentials, matching
  the existing Grafana pattern.
2026-07-12 22:31:27 +10:00
4 changed files with 29 additions and 3 deletions
+3
View File
@@ -0,0 +1,3 @@
# Members of this group get ArgoCD role:admin (mapped in argocd-rbac-cm).
# Everyone else who logs in via Authentik gets role:readonly.
name: argocd-admins
+21
View File
@@ -0,0 +1,21 @@
# OAuth2/OIDC provider + application for the in-cluster ArgoCD
# (argocd.k8s.syd1.au.unkin.net). client_secret is read from Vault, not committed.
name: ArgoCD
authorization_flow: default-provider-authorization-implicit-consent
invalidation_flow: default-provider-invalidation-flow
client_type: confidential
client_id: argocd
client_secret_vault:
mount: kv
path: kubernetes/namespace/argocd/default/oauth-credentials
scope_mappings:
- goauthentik.io/providers/oauth2/scope-openid
- goauthentik.io/providers/oauth2/scope-email
- goauthentik.io/providers/oauth2/scope-profile
redirect_uris:
# Web UI SSO callback.
- matching_mode: strict
url: https://argocd.k8s.syd1.au.unkin.net/auth/callback
# `argocd login --sso` CLI callback (local listener).
- matching_mode: strict
url: http://localhost:8085/auth/callback
+1 -1
View File
@@ -3,7 +3,7 @@ resource "authentik_group" "this" {
name = each.value.name
is_superuser = each.value.is_superuser
parents = each.value.parents != null ? [for p in each.value.parents : authentik_group.this[p].id] : []
parents = each.value.parents
attributes = jsonencode(each.value.attributes)
}
+4 -2
View File
@@ -2,8 +2,10 @@ variable "groups" {
type = map(object({
name = string
is_superuser = optional(bool, false)
parents = optional(list(string), null)
attributes = optional(map(string), {})
# PKs of existing parent groups. These must be literal group PKs, not keys
# into this map: authentik_group cannot reference itself.
parents = optional(list(string), null)
attributes = optional(map(string), {})
}))
default = {}
}