authentik for argo
This commit is contained in:
30
cluster/argocd/externalsecret.yaml
Normal file
30
cluster/argocd/externalsecret.yaml
Normal file
@@ -0,0 +1,30 @@
|
|||||||
|
# ------------------------------------------------------------------------------
|
||||||
|
# ExternalSecret — Authentik OIDC credentials for ArgoCD
|
||||||
|
# Pulled from 1Password via Connect Server, materialized as argocd-oidc-secret
|
||||||
|
# in the argocd namespace.
|
||||||
|
#
|
||||||
|
# 1Password item: "argocd-oidc" in the "mk-labs" vault
|
||||||
|
# Fields: client-id, client-secret
|
||||||
|
# ------------------------------------------------------------------------------
|
||||||
|
apiVersion: external-secrets.io/v1beta1
|
||||||
|
kind: ExternalSecret
|
||||||
|
metadata:
|
||||||
|
name: argocd-oidc-secret
|
||||||
|
namespace: argocd
|
||||||
|
spec:
|
||||||
|
secretStoreRef:
|
||||||
|
kind: ClusterSecretStore
|
||||||
|
name: onepassword-connect
|
||||||
|
refreshInterval: "1h"
|
||||||
|
target:
|
||||||
|
name: argocd-oidc-secret
|
||||||
|
creationPolicy: Owner
|
||||||
|
data:
|
||||||
|
- secretKey: client-id
|
||||||
|
remoteRef:
|
||||||
|
key: argocd-oidc
|
||||||
|
property: client-id
|
||||||
|
- secretKey: client-secret
|
||||||
|
remoteRef:
|
||||||
|
key: argocd-oidc
|
||||||
|
property: client-secret
|
||||||
@@ -1,4 +1,4 @@
|
|||||||
# ─── ArgoCD Helm values — fastpass cluster ───────────────────────────────────
|
# ─── ArgoCD Helm values — fastpass cluster ─────────────────────────────────────
|
||||||
# Chart: argo/argo-cd
|
# Chart: argo/argo-cd
|
||||||
# Version: 7.8.23
|
# Version: 7.8.23
|
||||||
#
|
#
|
||||||
@@ -14,13 +14,13 @@
|
|||||||
#
|
#
|
||||||
# Then apply the root app-of-apps (second and final manual step):
|
# Then apply the root app-of-apps (second and final manual step):
|
||||||
# kubectl apply -n argocd -f cluster/argocd/apps-of-apps.yaml
|
# kubectl apply -n argocd -f cluster/argocd/apps-of-apps.yaml
|
||||||
# ─────────────────────────────────────────────────────────────────────────────
|
# ───────────────────────────────────────────────────────────────────────────────
|
||||||
|
|
||||||
# ─── Global ──────────────────────────────────────────────────────────────────
|
# ─── Global ─────────────────────────────────────────────────────────────────────
|
||||||
global:
|
global:
|
||||||
domain: argocd.local.mk-labs.cloud
|
domain: argocd.local.mk-labs.cloud
|
||||||
|
|
||||||
# ─── ArgoCD server ───────────────────────────────────────────────────────────
|
# ─── ArgoCD server ──────────────────────────────────────────────────────────────
|
||||||
server:
|
server:
|
||||||
# Run insecure — TLS is terminated at ingress-nginx, not at ArgoCD itself.
|
# Run insecure — TLS is terminated at ingress-nginx, not at ArgoCD itself.
|
||||||
# Without this, ArgoCD redirects to HTTPS internally and breaks behind ingress.
|
# Without this, ArgoCD redirects to HTTPS internally and breaks behind ingress.
|
||||||
@@ -37,29 +37,27 @@ server:
|
|||||||
nginx.ingress.kubernetes.io/ssl-passthrough: "false"
|
nginx.ingress.kubernetes.io/ssl-passthrough: "false"
|
||||||
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
|
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
|
||||||
|
|
||||||
# ─── ConfigMap — core ArgoCD settings ────────────────────────────────────────
|
# ─── ConfigMap — core ArgoCD settings ───────────────────────────────────────────
|
||||||
configs:
|
configs:
|
||||||
params:
|
params:
|
||||||
# Matches --insecure above — tells the server not to handle TLS
|
|
||||||
server.insecure: "true"
|
server.insecure: "true"
|
||||||
|
|
||||||
cm:
|
cm:
|
||||||
# Gitea as the source repo — HTTPS with token auth (set in secret below)
|
|
||||||
# SSH alternative is in the repositories section if preferred
|
|
||||||
url: https://argocd.local.mk-labs.cloud
|
url: https://argocd.local.mk-labs.cloud
|
||||||
|
|
||||||
# Authentik OIDC SSO
|
# Authentik native OIDC SSO
|
||||||
# Uncomment once Authentik is configured with an ArgoCD OIDC provider
|
# Client secret pulled from 1Password via ESO → argocd-oidc-secret
|
||||||
# oidc.config: |
|
oidc.config: |
|
||||||
# name: Authentik
|
name: Authentik
|
||||||
# issuer: https://authentik.local.mk-labs.cloud/application/o/argocd/
|
issuer: https://authentik.local.mk-labs.cloud/application/o/argocd/
|
||||||
# clientID: <client-id-from-authentik>
|
clientID: $oidc.authentik.clientID
|
||||||
# clientSecret: $oidc.authentik.clientSecret
|
clientSecret: $oidc.authentik.clientSecret
|
||||||
# requestedScopes:
|
requestedScopes:
|
||||||
# - openid
|
- openid
|
||||||
# - profile
|
- profile
|
||||||
# - email
|
- email
|
||||||
# - groups
|
- groups
|
||||||
|
groupsClaim: groups
|
||||||
|
|
||||||
# Resource health checks — ignore progressing Cilium CRDs
|
# Resource health checks — ignore progressing Cilium CRDs
|
||||||
resource.customizations.health.cilium.io_CiliumLoadBalancerIPPool: |
|
resource.customizations.health.cilium.io_CiliumLoadBalancerIPPool: |
|
||||||
@@ -69,7 +67,6 @@ configs:
|
|||||||
return hs
|
return hs
|
||||||
|
|
||||||
# Ignore ESO-injected default fields on ExternalSecret resources.
|
# Ignore ESO-injected default fields on ExternalSecret resources.
|
||||||
# ESO mutates these fields after sync causing false OutOfSync state.
|
|
||||||
resource.customizations.ignoreDifferences.external-secrets.io_ExternalSecret: |
|
resource.customizations.ignoreDifferences.external-secrets.io_ExternalSecret: |
|
||||||
jqPathExpressions:
|
jqPathExpressions:
|
||||||
- '.spec.data[]?.remoteRef?.conversionStrategy'
|
- '.spec.data[]?.remoteRef?.conversionStrategy'
|
||||||
@@ -79,22 +76,22 @@ configs:
|
|||||||
- '.spec.dataFrom[]?.extract?.decodingStrategy'
|
- '.spec.dataFrom[]?.extract?.decodingStrategy'
|
||||||
- '.spec.dataFrom[]?.extract?.metadataPolicy'
|
- '.spec.dataFrom[]?.extract?.metadataPolicy'
|
||||||
|
|
||||||
# RBAC — admin gets full access, SSO groups mapped after Authentik integration
|
# RBAC — argocd-admins group from Authentik gets full access
|
||||||
rbac:
|
rbac:
|
||||||
policy.default: role:readonly
|
policy.default: role:readonly
|
||||||
policy.csv: |
|
policy.csv: |
|
||||||
g, argocd-admins, role:admin
|
g, argocd-admins, role:admin
|
||||||
|
g, argocd-viewers, role:readonly
|
||||||
|
|
||||||
|
# Secret reference for OIDC credentials
|
||||||
|
# ArgoCD reads $oidc.authentik.clientID and $oidc.authentik.clientSecret
|
||||||
|
# from the argocd-secret Kubernetes secret. We patch it via the ExternalSecret.
|
||||||
|
secret:
|
||||||
|
extra:
|
||||||
|
oidc.authentik.clientID: $argocd-oidc-secret:client-id
|
||||||
|
oidc.authentik.clientSecret: $argocd-oidc-secret:client-secret
|
||||||
|
|
||||||
# Repository credentials — Gitea SSH
|
# Repository credentials — Gitea SSH
|
||||||
# Private key is injected via ESO once external-secrets is bootstrapped.
|
|
||||||
# For initial bootstrap, create the secret manually:
|
|
||||||
# kubectl create secret generic gitea-repo \
|
|
||||||
# --namespace argocd \
|
|
||||||
# --from-literal=type=git \
|
|
||||||
# --from-literal=url=git@gitea.mk-labs.cloud:rblundon/homelab.git \
|
|
||||||
# --from-file=sshPrivateKey=/path/to/argocd_gitea_ed25519 \
|
|
||||||
# kubectl label secret gitea-repo -n argocd \
|
|
||||||
# argocd.argoproj.io/secret-type=repository
|
|
||||||
repositories:
|
repositories:
|
||||||
homelab-repo:
|
homelab-repo:
|
||||||
url: git@gitea.mk-labs.cloud:rblundon/homelab.git
|
url: git@gitea.mk-labs.cloud:rblundon/homelab.git
|
||||||
@@ -102,20 +99,20 @@ configs:
|
|||||||
type: git
|
type: git
|
||||||
insecure: "false"
|
insecure: "false"
|
||||||
|
|
||||||
# ─── Redis ───────────────────────────────────────────────────────────────────
|
# ─── Redis ──────────────────────────────────────────────────────────────────────
|
||||||
redis:
|
redis:
|
||||||
enabled: true
|
enabled: true
|
||||||
|
|
||||||
# ─── Notifications ───────────────────────────────────────────────────────────
|
# ─── Notifications ──────────────────────────────────────────────────────────────
|
||||||
# Disabled for now — wire into n8n via webhook later
|
# Disabled for now — wire into n8n via webhook later
|
||||||
notifications:
|
notifications:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
|
||||||
# ─── ApplicationSet controller ───────────────────────────────────────────────
|
# ─── ApplicationSet controller ──────────────────────────────────────────────────
|
||||||
applicationSet:
|
applicationSet:
|
||||||
enabled: true
|
enabled: true
|
||||||
|
|
||||||
# ─── Dex (built-in OIDC) ─────────────────────────────────────────────────────
|
# ─── Dex ────────────────────────────────────────────────────────────────────────
|
||||||
# Disabled — using Authentik as the OIDC provider
|
# Disabled — using Authentik as the native OIDC provider
|
||||||
dex:
|
dex:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
|||||||
Reference in New Issue
Block a user