From 931a237261e0f113e74f1abeb0b9d44ee530f19c Mon Sep 17 00:00:00 2001 From: Ubuntu Date: Mon, 12 Jan 2026 19:52:51 +0000 Subject: [PATCH] modified: apps/argocd-config/argocd-cm.yaml new file: apps/argocd-config/argocd-rbac-cm.yaml modified: apps/argocd-config/external-secret.yaml modified: apps/argocd-config/kustomization.yaml --- apps/argocd-config/argocd-cm.yaml | 24 +++++++++++++++++------- apps/argocd-config/argocd-rbac-cm.yaml | 13 +++++++++++++ apps/argocd-config/external-secret.yaml | 9 ++++++--- apps/argocd-config/kustomization.yaml | 1 + 4 files changed, 37 insertions(+), 10 deletions(-) create mode 100644 apps/argocd-config/argocd-rbac-cm.yaml diff --git a/apps/argocd-config/argocd-cm.yaml b/apps/argocd-config/argocd-cm.yaml index be17585..c489e8c 100644 --- a/apps/argocd-config/argocd-cm.yaml +++ b/apps/argocd-config/argocd-cm.yaml @@ -8,14 +8,24 @@ metadata: app.kubernetes.io/part-of: argocd data: url: "https://argocd.k3s.stabify.de" - oidc.config: | - name: Authentik - issuer: https://auth.apps.k3s.stabify.de/application/o/argocd/ - clientID: $argocd-oidc-secret:oidc_client_id - clientSecret: $argocd-oidc-secret:oidc_client_secret - requestedScopes: ["openid", "profile", "email", "groups"] - # Existing Config (Standard Resource Customizations) + # DEX Config statt OIDC (für CLI Support) + dex.config: | + connectors: + - config: + issuer: https://auth.apps.k3s.stabify.de/application/o/argocd/ + clientID: $argocd-oidc-secret:oidc.authentik.clientId + clientSecret: $argocd-oidc-secret:dex.authentik.clientSecret + insecureEnableGroups: true + scopes: + - openid + - profile + - email + name: authentik + type: oidc + id: authentik + + # Resource Customizations (unverändert) resource.customizations.ignoreResourceUpdates.ConfigMap: | jqPathExpressions: - '.metadata.annotations."cluster-autoscaler.kubernetes.io/last-updated"' diff --git a/apps/argocd-config/argocd-rbac-cm.yaml b/apps/argocd-config/argocd-rbac-cm.yaml new file mode 100644 index 0000000..c4125f5 --- /dev/null +++ b/apps/argocd-config/argocd-rbac-cm.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: argocd-rbac-cm + namespace: argocd + labels: + app.kubernetes.io/name: argocd-rbac-cm + app.kubernetes.io/part-of: argocd +data: + policy.csv: | + g, ArgoCD Admins, role:admin + g, ArgoCD Viewers, role:readonly + scopes: "[groups, email]" # Optional, falls Dex Scopes braucht diff --git a/apps/argocd-config/external-secret.yaml b/apps/argocd-config/external-secret.yaml index cd31c91..9a8c869 100644 --- a/apps/argocd-config/external-secret.yaml +++ b/apps/argocd-config/external-secret.yaml @@ -13,9 +13,12 @@ spec: template: engineVersion: v2 data: - # ArgoCD erwartet diese Keys für OIDC Config - oidc.authentik.clientId: "{{ .client_id }}" - oidc.authentik.clientSecret: "{{ .client_secret }}" + # ArgoCD Dex Config Key + dex.authentik.clientSecret: "{{ .oidc_client_secret }}" + # Dex braucht keine clientID im Secret, die steht in der ConfigMap. + # Aber wir können sie hier lassen oder entfernen. + oidc.authentik.clientId: "{{ .oidc_client_id }}" # Legacy / Optional + data: - secretKey: client_id remoteRef: diff --git a/apps/argocd-config/kustomization.yaml b/apps/argocd-config/kustomization.yaml index 3ebe581..5b781ae 100644 --- a/apps/argocd-config/kustomization.yaml +++ b/apps/argocd-config/kustomization.yaml @@ -3,3 +3,4 @@ kind: Kustomization resources: - external-secret.yaml - argocd-cm.yaml + - argocd-rbac-cm.yaml \ No newline at end of file