From 11fe8a40b25d17c35eb916b432effde233c59db9 Mon Sep 17 00:00:00 2001
From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com>
Date: Mon, 10 Nov 2025 14:01:55 +0100
Subject: [PATCH] feat(k8s-peterg): Add Authentik authentication to ArgoCD

---
 k8s-peterg/argocd/kustomization.yaml     |  4 +++
 k8s-peterg/argocd/oidc.yaml              | 34 ++++++++++++++++++++++++
 k8s-peterg/argocd/patches/configmap.yaml | 33 +++++++++++++++++++++++
 k8s-peterg/kustomization.yaml            |  7 -----
 4 files changed, 71 insertions(+), 7 deletions(-)
 create mode 100644 k8s-peterg/argocd/oidc.yaml
 create mode 100644 k8s-peterg/argocd/patches/configmap.yaml
 delete mode 100644 k8s-peterg/kustomization.yaml

diff --git a/k8s-peterg/argocd/kustomization.yaml b/k8s-peterg/argocd/kustomization.yaml
index 6b13dea..0c19f16 100644
--- a/k8s-peterg/argocd/kustomization.yaml
+++ b/k8s-peterg/argocd/kustomization.yaml
@@ -7,6 +7,7 @@ resources:
   - repository.yaml
   - namespace.yaml
   - clusters.yaml
+  - oidc.yaml
   - applications-peterg.yaml
   - applications-wheatley.yaml
 
@@ -22,3 +23,6 @@ configMapGenerator:
     behavior: merge
     literals:
       - kustomize.buildOptions=--enable-helm
+
+patches:
+  - path: patches/configmap.yaml
diff --git a/k8s-peterg/argocd/oidc.yaml b/k8s-peterg/argocd/oidc.yaml
new file mode 100644
index 0000000..9535151
--- /dev/null
+++ b/k8s-peterg/argocd/oidc.yaml
@@ -0,0 +1,34 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: argocd-authentik-provider
+  namespace: argocd
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: 1password-wheatley
+  target:
+    name: argocd-authentik-provider
+    creationPolicy: Owner
+    template:
+      metadata:
+        labels:
+          app.kubernetes.io/part-of: argocd
+  data:
+    - secretkey: authentik_host
+      remoteRef:
+        key: /wheatley/authentik-argocd-provider
+        property: host
+    - secretkey: authentik_slug
+      remoteRef:
+        key: /wheatley/authentik-argocd-provider
+        property: slug
+    - secretKey: dex.authentik.clientID
+      remoteRef:
+        key: /wheatley/authentik-argocd-provider
+        property: client_id
+    - secretKey: dex.authentik.clientSecret
+      remoteRef:
+        key: /wheatley/authentik-argocd-provider
+        property: client_secret
diff --git a/k8s-peterg/argocd/patches/configmap.yaml b/k8s-peterg/argocd/patches/configmap.yaml
new file mode 100644
index 0000000..2b41078
--- /dev/null
+++ b/k8s-peterg/argocd/patches/configmap.yaml
@@ -0,0 +1,33 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cm
+  labels:
+    app.kubernetes.io/name: argocd-cm
+    app.kubernetes.io/part-of: argocd
+data:
+  dex.config: |
+    connectors:
+    - name: authentik
+      id: authentik
+      type: argocd-cm
+      config:
+        issuer: $argocd-authentik-provider:dex.authentik.issuer
+        clientID: $argocd-authentik-app:dex.authentik.clientID
+        clientSecret: $argocd-authentik-app:dex.authentik.clientSecret
+        scopes:
+          - openid
+          - profile
+          - email
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-rbac-cm
+  labels:
+    app.kubernetes.io/part-of: argocd
+data:
+  policy.default: role:readonly
+  policy.csv: |
+    g, ArgoCD Admins, role:admin
diff --git a/k8s-peterg/kustomization.yaml b/k8s-peterg/kustomization.yaml
deleted file mode 100644
index 141e45c..0000000
--- a/k8s-peterg/kustomization.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - cilium-gatewayapi
-  - argocd
-  - external-secrets-operator