50 lines
1.8 KiB
YAML
50 lines
1.8 KiB
YAML
# ------------------------------------------------------------------------------
|
|
# ExternalSecret — ArgoCD Secrets
|
|
#
|
|
# Pulls two secrets from 1Password:
|
|
# 1. Authentik OIDC client ID + secret (for Dex connector)
|
|
# 2. Gitea personal access token (for repo access)
|
|
#
|
|
# In 1Password (mk-labs vault), create:
|
|
# Item: "argocd-oidc"
|
|
# Field: client-id → Authentik OAuth2 client ID
|
|
# Field: client-secret → Authentik OAuth2 client secret
|
|
#
|
|
# Item: "gitea-argocd-token"
|
|
# Field: token → Gitea personal access token with repo read permissions
|
|
# (Create in Gitea: Settings → Applications → Generate Token)
|
|
#
|
|
# These materialize into argocd-secret, which ArgoCD reads natively.
|
|
# The $dex.authentik.clientID / $dex.authentik.clientSecret references
|
|
# in argocd-cm.yaml are resolved by ArgoCD from this secret automatically.
|
|
# ------------------------------------------------------------------------------
|
|
apiVersion: external-secrets.io/v1beta1
|
|
kind: ExternalSecret
|
|
metadata:
|
|
name: argocd-secrets
|
|
namespace: argocd
|
|
spec:
|
|
secretStoreRef:
|
|
kind: ClusterSecretStore
|
|
name: onepassword-connect
|
|
refreshInterval: "1h"
|
|
target:
|
|
# Must be named argocd-secret — ArgoCD reads this specific secret name
|
|
name: argocd-secret
|
|
creationPolicy: Merge # Merge into existing argocd-secret, don't replace it
|
|
data:
|
|
# Authentik OIDC credentials — referenced as $dex.authentik.* in argocd-cm
|
|
- secretKey: dex.authentik.clientID
|
|
remoteRef:
|
|
key: argocd-oidc
|
|
property: client-id
|
|
- secretKey: dex.authentik.clientSecret
|
|
remoteRef:
|
|
key: argocd-oidc
|
|
property: client-secret
|
|
# Gitea token — used by the Repository credential below
|
|
- secretKey: sshPrivateKey
|
|
remoteRef:
|
|
key: gitea-argocd-ssh
|
|
property: private-key
|