Add ArgoCD OAuth2/OIDC provider #3
Reference in New Issue
Block a user
Delete Branch "benvin/argocd-oidc"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Why
Extends Authentik SSO to ArgoCD so cluster operators log in with their Authentik identity and group membership instead of the shared local admin account. First step of moving more apps onto Authentik; pairs with unkin/argocd-apps#(argocd-oidc).
Changes
config/providers_oauth2/argocd.yaml: a confidential OAuth2 provider + application (slugargocd),client_id: argocd, openid/email/profile scope mappings, and web + CLI (localhost:8085) redirect URIs.kv/kubernetes/namespace/argocd/default/oauth-credentials(keyclient_secret) — nothing sensitive committed, matching the existing Grafana provider.Prereq
Seed the OIDC client secret in Vault at the path above before apply (same key the argocd-apps VaultStaticSecret consumes).
67310cdb79to4a2e9675b7Depends on #4 (fix self-referential
authentik_groupparents). This PR adds the first managed group (argocd-admins), which trips a dormant module bug; CIplanhere will stay red until #4 merges. Will rebase onmainonce #4 is in.6498a04b62toc62fdb574aRebased on
mainnow that #4 is merged — plan is green here (3 to add: argocd provider, application, argocd-admins group). The remaining1 to changeon the grafana provider is the pre-existing redirect_uri drift, fixed independently in #5.