enable oidc support for argocd
This commit is contained in:
Ubuntu
18
apps/argocd-config-app.yaml
Normal file
18
apps/argocd-config-app.yaml
Normal file
@@ -0,0 +1,18 @@
|
|||||||
|
apiVersion: argoproj.io/v1alpha1
|
||||||
|
kind: Application
|
||||||
|
metadata:
|
||||||
|
name: argocd-config
|
||||||
|
namespace: argocd
|
||||||
|
spec:
|
||||||
|
project: default
|
||||||
|
source:
|
||||||
|
repoURL: https://git.cloud-infra.prod.openmailserver.de/stabify/gitops.git
|
||||||
|
targetRevision: HEAD
|
||||||
|
path: apps/argocd-config
|
||||||
|
destination:
|
||||||
|
server: https://kubernetes.default.svc
|
||||||
|
namespace: argocd
|
||||||
|
syncPolicy:
|
||||||
|
automated:
|
||||||
|
prune: false # Safety: Don't delete ArgoCD resources not managed by this app
|
||||||
|
selfHeal: true
|
||||||
27
apps/argocd-config/external-secret.yaml
Normal file
27
apps/argocd-config/external-secret.yaml
Normal file
@@ -0,0 +1,27 @@
|
|||||||
|
apiVersion: external-secrets.io/v1beta1
|
||||||
|
kind: ExternalSecret
|
||||||
|
metadata:
|
||||||
|
name: argocd-oidc-secret-source
|
||||||
|
namespace: argocd
|
||||||
|
spec:
|
||||||
|
refreshInterval: 1m
|
||||||
|
secretStoreRef:
|
||||||
|
name: vault-backend
|
||||||
|
kind: ClusterSecretStore
|
||||||
|
target:
|
||||||
|
name: argocd-oidc-secret
|
||||||
|
template:
|
||||||
|
engineVersion: v2
|
||||||
|
data:
|
||||||
|
# ArgoCD erwartet diese Keys für OIDC Config
|
||||||
|
oidc.authentik.clientId: "{{ .client_id }}"
|
||||||
|
oidc.authentik.clientSecret: "{{ .client_secret }}"
|
||||||
|
data:
|
||||||
|
- secretKey: client_id
|
||||||
|
remoteRef:
|
||||||
|
key: secret/apps/argocd
|
||||||
|
property: client_id
|
||||||
|
- secretKey: client_secret
|
||||||
|
remoteRef:
|
||||||
|
key: secret/apps/argocd
|
||||||
|
property: client_secret
|
||||||
24
apps/argocd-config/kustomization.yaml
Normal file
24
apps/argocd-config/kustomization.yaml
Normal file
@@ -0,0 +1,24 @@
|
|||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
resources:
|
||||||
|
- external-secret.yaml
|
||||||
|
|
||||||
|
patches:
|
||||||
|
- target:
|
||||||
|
kind: ConfigMap
|
||||||
|
name: argocd-cm
|
||||||
|
patch: |-
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: argocd-cm
|
||||||
|
data:
|
||||||
|
url: "https://argocd.k3s.stabify.de"
|
||||||
|
oidc.config: |
|
||||||
|
name: Authentik
|
||||||
|
issuer: https://auth.apps.k3s.stabify.de/application/o/argocd/
|
||||||
|
clientID: $argocd-oidc-secret:oidc.authentik.clientId
|
||||||
|
clientSecret: $argocd-oidc-secret:oidc.authentik.clientSecret
|
||||||
|
requestedScopes: ["openid", "profile", "email", "groups"]
|
||||||
|
# Optional: Admin-Gruppe mappen
|
||||||
|
# requestedIDTokenClaims: {"groups": {"essential": true}}
|
||||||
Reference in New Issue
Block a user