Deploy monitoring stack

This commit is contained in:
2026-05-18 21:42:32 -05:00
parent dbf0b18f07
commit 2ed70b4964
8 changed files with 386 additions and 25 deletions

View File

@@ -1,10 +1,9 @@
# ------------------------------------------------------------------------------
# ExternalSecret — Authentik OIDC credentials for ArgoCD
# Pulled from 1Password via Connect Server, materialized as argocd-oidc-secret
# in the argocd namespace.
#
# 1Password item: "argocd-oidc" in the "mk-labs" vault
# Fields: client-id, client-secret
# Targets argocd-secret directly — ArgoCD reads oidc.authentik.* keys
# from its own secret. ESO merges these fields into the existing secret
# without overwriting admin.password etc. (creationPolicy: Merge)
# ------------------------------------------------------------------------------
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
@@ -17,14 +16,14 @@ spec:
name: onepassword-connect
refreshInterval: "1h"
target:
name: argocd-oidc-secret
creationPolicy: Owner
name: argocd-secret
creationPolicy: Merge
data:
- secretKey: client-id
- secretKey: oidc.authentik.clientID
remoteRef:
key: argocd-oidc
property: client-id
- secretKey: client-secret
- secretKey: oidc.authentik.clientSecret
remoteRef:
key: argocd-oidc
property: client-secret

View File

@@ -83,14 +83,6 @@ configs:
g, argocd-admins, role:admin
g, argocd-viewers, role:readonly
# Secret reference for OIDC credentials
# ArgoCD reads $oidc.authentik.clientID and $oidc.authentik.clientSecret
# from the argocd-secret Kubernetes secret. We patch it via the ExternalSecret.
secret:
extra:
oidc.authentik.clientID: $argocd-oidc-secret:client-id
oidc.authentik.clientSecret: $argocd-oidc-secret:client-secret
# Repository credentials — Gitea SSH
repositories:
homelab-repo:
@@ -116,3 +108,7 @@ applicationSet:
# Disabled — using Authentik as the native OIDC provider
dex:
enabled: false
# Disable default admin user
admin:
enabled: false