92af7c2e92
Extends Authentik SSO to ArgoCD so cluster operators log in with their Authentik identity and group membership instead of the local admin account. - Add config/providers_oauth2/argocd.yaml: confidential OAuth2 provider + application (slug argocd), client_id argocd, openid/email/profile scopes, web SSO and CLI (localhost:8085) redirect URIs. client_secret is read from Vault at kv/kubernetes/namespace/argocd/default/oauth-credentials, matching the existing Grafana pattern.
22 lines
836 B
YAML
22 lines
836 B
YAML
# OAuth2/OIDC provider + application for the in-cluster ArgoCD
|
|
# (argocd.k8s.syd1.au.unkin.net). client_secret is read from Vault, not committed.
|
|
name: ArgoCD
|
|
authorization_flow: default-provider-authorization-implicit-consent
|
|
invalidation_flow: default-provider-invalidation-flow
|
|
client_type: confidential
|
|
client_id: argocd
|
|
client_secret_vault:
|
|
mount: kv
|
|
path: kubernetes/namespace/argocd/default/oauth-credentials
|
|
scope_mappings:
|
|
- goauthentik.io/providers/oauth2/scope-openid
|
|
- goauthentik.io/providers/oauth2/scope-email
|
|
- goauthentik.io/providers/oauth2/scope-profile
|
|
redirect_uris:
|
|
# Web UI SSO callback.
|
|
- matching_mode: strict
|
|
url: https://argocd.k8s.syd1.au.unkin.net/auth/callback
|
|
# `argocd login --sso` CLI callback (local listener).
|
|
- matching_mode: strict
|
|
url: http://localhost:8085/auth/callback
|