enable oidc support for argocd

2026-01-12 19:38:18 +00:00
parent 8023a0232c
commit 36efafb2aa
3 changed files with 69 additions and 0 deletions
--- a/apps/argocd-config-app.yaml
+++ b/apps/argocd-config-app.yaml
@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argocd-config
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://git.cloud-infra.prod.openmailserver.de/stabify/gitops.git
+    targetRevision: HEAD
+    path: apps/argocd-config
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: argocd
+  syncPolicy:
+    automated:
+      prune: false # Safety: Don't delete ArgoCD resources not managed by this app
+      selfHeal: true
--- a/apps/argocd-config/external-secret.yaml
+++ b/apps/argocd-config/external-secret.yaml
@@ -0,0 +1,27 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: argocd-oidc-secret-source
+  namespace: argocd
+spec:
+  refreshInterval: 1m
+  secretStoreRef:
+    name: vault-backend
+    kind: ClusterSecretStore
+  target:
+    name: argocd-oidc-secret
+    template:
+      engineVersion: v2
+      data:
+        # ArgoCD erwartet diese Keys für OIDC Config
+        oidc.authentik.clientId: "{{ .client_id }}"
+        oidc.authentik.clientSecret: "{{ .client_secret }}"
+  data:
+    - secretKey: client_id
+      remoteRef:
+        key: secret/apps/argocd
+        property: client_id
+    - secretKey: client_secret
+      remoteRef:
+        key: secret/apps/argocd
+        property: client_secret
--- a/apps/argocd-config/kustomization.yaml
+++ b/apps/argocd-config/kustomization.yaml
@@ -0,0 +1,24 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - external-secret.yaml
+
+patches:
+  - target:
+      kind: ConfigMap
+      name: argocd-cm
+    patch: |-
+      apiVersion: v1
+      kind: ConfigMap
+      metadata:
+        name: argocd-cm
+      data:
+        url: "https://argocd.k3s.stabify.de"
+        oidc.config: |
+          name: Authentik
+          issuer: https://auth.apps.k3s.stabify.de/application/o/argocd/
+          clientID: $argocd-oidc-secret:oidc.authentik.clientId
+          clientSecret: $argocd-oidc-secret:oidc.authentik.clientSecret
+          requestedScopes: ["openid", "profile", "email", "groups"]
+          # Optional: Admin-Gruppe mappen
+          # requestedIDTokenClaims: {"groups": {"essential": true}}