Add ArgoCD OAuth2/OIDC provider #3

Merged
benvin merged 3 commits from benvin/argocd-oidc into main 2026-07-12 23:04:47 +10:00
Owner

Why

Extends Authentik SSO to ArgoCD so cluster operators log in with their Authentik identity and group membership instead of the shared local admin account. First step of moving more apps onto Authentik; pairs with unkin/argocd-apps#(argocd-oidc).

Changes

  • Add config/providers_oauth2/argocd.yaml: a confidential OAuth2 provider + application (slug argocd), client_id: argocd, openid/email/profile scope mappings, and web + CLI (localhost:8085) redirect URIs.
  • Reads the client secret from Vault at kv/kubernetes/namespace/argocd/default/oauth-credentials (key client_secret) — nothing sensitive committed, matching the existing Grafana provider.

Prereq

Seed the OIDC client secret in Vault at the path above before apply (same key the argocd-apps VaultStaticSecret consumes).

## Why Extends Authentik SSO to ArgoCD so cluster operators log in with their Authentik identity and group membership instead of the shared local admin account. First step of moving more apps onto Authentik; pairs with unkin/argocd-apps#(argocd-oidc). ## Changes - Add `config/providers_oauth2/argocd.yaml`: a confidential OAuth2 provider + application (slug `argocd`), `client_id: argocd`, openid/email/profile scope mappings, and web + CLI (`localhost:8085`) redirect URIs. - Reads the client secret from Vault at `kv/kubernetes/namespace/argocd/default/oauth-credentials` (key `client_secret`) — nothing sensitive committed, matching the existing Grafana provider. ## Prereq Seed the OIDC client secret in Vault at the path above before apply (same key the argocd-apps VaultStaticSecret consumes).
unkinben force-pushed benvin/argocd-oidc from 67310cdb79 to 4a2e9675b7 2026-07-12 22:42:54 +10:00 Compare
Author
Owner

Depends on #4 (fix self-referential authentik_group parents). This PR adds the first managed group (argocd-admins), which trips a dormant module bug; CI plan here will stay red until #4 merges. Will rebase on main once #4 is in.

Depends on #4 (fix self-referential `authentik_group` parents). This PR adds the first managed group (`argocd-admins`), which trips a dormant module bug; CI `plan` here will stay red until #4 merges. Will rebase on `main` once #4 is in.
unkinben added 2 commits 2026-07-12 22:59:07 +10:00
Extends Authentik SSO to ArgoCD so cluster operators log in with their
Authentik identity and group membership instead of the local admin account.

- Add config/providers_oauth2/argocd.yaml: confidential OAuth2 provider +
  application (slug argocd), client_id argocd, openid/email/profile scopes,
  web SSO and CLI (localhost:8085) redirect URIs. client_secret is read from
  Vault at kv/kubernetes/namespace/argocd/default/oauth-credentials, matching
  the existing Grafana pattern.
Add argocd-admins group
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
c62fdb574a
Declaratively manage the group that argocd-rbac-cm maps to role:admin, so
onboarding ArgoCD SSO does not require creating the group by hand in the UI.
unkinben force-pushed benvin/argocd-oidc from 6498a04b62 to c62fdb574a 2026-07-12 22:59:07 +10:00 Compare
Author
Owner

Rebased on main now that #4 is merged — plan is green here (3 to add: argocd provider, application, argocd-admins group). The remaining 1 to change on the grafana provider is the pre-existing redirect_uri drift, fixed independently in #5.

Rebased on `main` now that #4 is merged — plan is green here (3 to add: argocd provider, application, argocd-admins group). The remaining `1 to change` on the grafana provider is the pre-existing redirect_uri drift, fixed independently in #5.
benvin added 1 commit 2026-07-12 23:02:23 +10:00
Merge branch 'main' into benvin/argocd-oidc
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
a6dca8eb96
benvin merged commit 4dadd1f4ab into main 2026-07-12 23:04:47 +10:00
benvin deleted branch benvin/argocd-oidc 2026-07-12 23:04:48 +10:00
Sign in to join this conversation.