authentik for argo

This commit is contained in:
2026-05-18 19:43:21 -05:00
parent 1cfc9b5f5d
commit dbf0b18f07
2 changed files with 64 additions and 37 deletions

View File

@@ -0,0 +1,30 @@
# ------------------------------------------------------------------------------
# ExternalSecret — Authentik OIDC credentials for ArgoCD
# Pulled from 1Password via Connect Server, materialized as argocd-oidc-secret
# in the argocd namespace.
#
# 1Password item: "argocd-oidc" in the "mk-labs" vault
# Fields: client-id, client-secret
# ------------------------------------------------------------------------------
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: argocd-oidc-secret
namespace: argocd
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
refreshInterval: "1h"
target:
name: argocd-oidc-secret
creationPolicy: Owner
data:
- secretKey: client-id
remoteRef:
key: argocd-oidc
property: client-id
- secretKey: client-secret
remoteRef:
key: argocd-oidc
property: client-secret

View File

@@ -1,4 +1,4 @@
# ─── ArgoCD Helm values — fastpass cluster ─────────────────────────────────── # ─── ArgoCD Helm values — fastpass cluster ─────────────────────────────────────
# Chart: argo/argo-cd # Chart: argo/argo-cd
# Version: 7.8.23 # Version: 7.8.23
# #
@@ -14,13 +14,13 @@
# #
# Then apply the root app-of-apps (second and final manual step): # Then apply the root app-of-apps (second and final manual step):
# kubectl apply -n argocd -f cluster/argocd/apps-of-apps.yaml # kubectl apply -n argocd -f cluster/argocd/apps-of-apps.yaml
# ───────────────────────────────────────────────────────────────────────────── # ───────────────────────────────────────────────────────────────────────────────
# ─── Global ────────────────────────────────────────────────────────────────── # ─── Global ─────────────────────────────────────────────────────────────────────
global: global:
domain: argocd.local.mk-labs.cloud domain: argocd.local.mk-labs.cloud
# ─── ArgoCD server ─────────────────────────────────────────────────────────── # ─── ArgoCD server ──────────────────────────────────────────────────────────────
server: server:
# Run insecure — TLS is terminated at ingress-nginx, not at ArgoCD itself. # Run insecure — TLS is terminated at ingress-nginx, not at ArgoCD itself.
# Without this, ArgoCD redirects to HTTPS internally and breaks behind ingress. # Without this, ArgoCD redirects to HTTPS internally and breaks behind ingress.
@@ -37,29 +37,27 @@ server:
nginx.ingress.kubernetes.io/ssl-passthrough: "false" nginx.ingress.kubernetes.io/ssl-passthrough: "false"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP" nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
# ─── ConfigMap — core ArgoCD settings ──────────────────────────────────────── # ─── ConfigMap — core ArgoCD settings ───────────────────────────────────────────
configs: configs:
params: params:
# Matches --insecure above — tells the server not to handle TLS
server.insecure: "true" server.insecure: "true"
cm: cm:
# Gitea as the source repo — HTTPS with token auth (set in secret below)
# SSH alternative is in the repositories section if preferred
url: https://argocd.local.mk-labs.cloud url: https://argocd.local.mk-labs.cloud
# Authentik OIDC SSO # Authentik native OIDC SSO
# Uncomment once Authentik is configured with an ArgoCD OIDC provider # Client secret pulled from 1Password via ESO → argocd-oidc-secret
# oidc.config: | oidc.config: |
# name: Authentik name: Authentik
# issuer: https://authentik.local.mk-labs.cloud/application/o/argocd/ issuer: https://authentik.local.mk-labs.cloud/application/o/argocd/
# clientID: <client-id-from-authentik> clientID: $oidc.authentik.clientID
# clientSecret: $oidc.authentik.clientSecret clientSecret: $oidc.authentik.clientSecret
# requestedScopes: requestedScopes:
# - openid - openid
# - profile - profile
# - email - email
# - groups - groups
groupsClaim: groups
# Resource health checks — ignore progressing Cilium CRDs # Resource health checks — ignore progressing Cilium CRDs
resource.customizations.health.cilium.io_CiliumLoadBalancerIPPool: | resource.customizations.health.cilium.io_CiliumLoadBalancerIPPool: |
@@ -69,7 +67,6 @@ configs:
return hs return hs
# Ignore ESO-injected default fields on ExternalSecret resources. # Ignore ESO-injected default fields on ExternalSecret resources.
# ESO mutates these fields after sync causing false OutOfSync state.
resource.customizations.ignoreDifferences.external-secrets.io_ExternalSecret: | resource.customizations.ignoreDifferences.external-secrets.io_ExternalSecret: |
jqPathExpressions: jqPathExpressions:
- '.spec.data[]?.remoteRef?.conversionStrategy' - '.spec.data[]?.remoteRef?.conversionStrategy'
@@ -79,22 +76,22 @@ configs:
- '.spec.dataFrom[]?.extract?.decodingStrategy' - '.spec.dataFrom[]?.extract?.decodingStrategy'
- '.spec.dataFrom[]?.extract?.metadataPolicy' - '.spec.dataFrom[]?.extract?.metadataPolicy'
# RBAC — admin gets full access, SSO groups mapped after Authentik integration # RBAC — argocd-admins group from Authentik gets full access
rbac: rbac:
policy.default: role:readonly policy.default: role:readonly
policy.csv: | policy.csv: |
g, argocd-admins, role:admin g, argocd-admins, role:admin
g, argocd-viewers, role:readonly
# Secret reference for OIDC credentials
# ArgoCD reads $oidc.authentik.clientID and $oidc.authentik.clientSecret
# from the argocd-secret Kubernetes secret. We patch it via the ExternalSecret.
secret:
extra:
oidc.authentik.clientID: $argocd-oidc-secret:client-id
oidc.authentik.clientSecret: $argocd-oidc-secret:client-secret
# Repository credentials — Gitea SSH # Repository credentials — Gitea SSH
# Private key is injected via ESO once external-secrets is bootstrapped.
# For initial bootstrap, create the secret manually:
# kubectl create secret generic gitea-repo \
# --namespace argocd \
# --from-literal=type=git \
# --from-literal=url=git@gitea.mk-labs.cloud:rblundon/homelab.git \
# --from-file=sshPrivateKey=/path/to/argocd_gitea_ed25519 \
# kubectl label secret gitea-repo -n argocd \
# argocd.argoproj.io/secret-type=repository
repositories: repositories:
homelab-repo: homelab-repo:
url: git@gitea.mk-labs.cloud:rblundon/homelab.git url: git@gitea.mk-labs.cloud:rblundon/homelab.git
@@ -102,20 +99,20 @@ configs:
type: git type: git
insecure: "false" insecure: "false"
# ─── Redis ─────────────────────────────────────────────────────────────────── # ─── Redis ──────────────────────────────────────────────────────────────────────
redis: redis:
enabled: true enabled: true
# ─── Notifications ─────────────────────────────────────────────────────────── # ─── Notifications ──────────────────────────────────────────────────────────────
# Disabled for now — wire into n8n via webhook later # Disabled for now — wire into n8n via webhook later
notifications: notifications:
enabled: false enabled: false
# ─── ApplicationSet controller ─────────────────────────────────────────────── # ─── ApplicationSet controller ──────────────────────────────────────────────────
applicationSet: applicationSet:
enabled: true enabled: true
# ─── Dex (built-in OIDC) ───────────────────────────────────────────────────── # ─── Dex ────────────────────────────────────────────────────────────────────────
# Disabled — using Authentik as the OIDC provider # Disabled — using Authentik as the native OIDC provider
dex: dex:
enabled: false enabled: false