feat(k8s-peterg): Add Authentik authentication to ArgoCD

2025-11-10 14:01:55 +01:00 · 2025-11-10 14:01:55 +01:00 · 11fe8a40b2
commit 11fe8a40b2
parent e529e5c255
4 changed files with 71 additions and 7 deletions
--- a/k8s-peterg/argocd/kustomization.yaml
+++ b/k8s-peterg/argocd/kustomization.yaml
@ -7,6 +7,7 @@ resources:
  - repository.yaml
  - namespace.yaml
  - clusters.yaml
+  - oidc.yaml
  - applications-peterg.yaml
  - applications-wheatley.yaml

@ -22,3 +23,6 @@ configMapGenerator:
    behavior: merge
    literals:
      - kustomize.buildOptions=--enable-helm
+
+patches:
+  - path: patches/configmap.yaml
--- a/k8s-peterg/argocd/oidc.yaml
+++ b/k8s-peterg/argocd/oidc.yaml
@ -0,0 +1,34 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: argocd-authentik-provider
+  namespace: argocd
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: 1password-wheatley
+  target:
+    name: argocd-authentik-provider
+    creationPolicy: Owner
+    template:
+      metadata:
+        labels:
+          app.kubernetes.io/part-of: argocd
+  data:
+    - secretkey: authentik_host
+      remoteRef:
+        key: /wheatley/authentik-argocd-provider
+        property: host
+    - secretkey: authentik_slug
+      remoteRef:
+        key: /wheatley/authentik-argocd-provider
+        property: slug
+    - secretKey: dex.authentik.clientID
+      remoteRef:
+        key: /wheatley/authentik-argocd-provider
+        property: client_id
+    - secretKey: dex.authentik.clientSecret
+      remoteRef:
+        key: /wheatley/authentik-argocd-provider
+        property: client_secret
--- a/k8s-peterg/argocd/patches/configmap.yaml
+++ b/k8s-peterg/argocd/patches/configmap.yaml
@ -0,0 +1,33 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cm
+  labels:
+    app.kubernetes.io/name: argocd-cm
+    app.kubernetes.io/part-of: argocd
+data:
+  dex.config: |
+    connectors:
+    - name: authentik
+      id: authentik
+      type: argocd-cm
+      config:
+        issuer: $argocd-authentik-provider:dex.authentik.issuer
+        clientID: $argocd-authentik-app:dex.authentik.clientID
+        clientSecret: $argocd-authentik-app:dex.authentik.clientSecret
+        scopes:
+          - openid
+          - profile
+          - email
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-rbac-cm
+  labels:
+    app.kubernetes.io/part-of: argocd
+data:
+  policy.default: role:readonly
+  policy.csv: |
+    g, ArgoCD Admins, role:admin