feat(argo-workflows): Enable SSO through ArgoCD dex

k8s-peterg/argocd/kustomization.yaml

@@ -26,3 +26,4 @@ configMapGenerator:
 
 patches:
   - path: patches/configmap.yaml
+  - path: patches/deployments.yaml

k8s-peterg/argocd/oidc.yaml

@@ -27,3 +27,28 @@ spec:
       remoteRef:
         key: secrets/managed/argocd/authentik-oidc-credentials
         property: clientSecret
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: argo-server-sso
+  namespace: argo-workflows
+spec:
+  secretStoreRef:
+    name: vault-wheatley
+    kind: ClusterSecretStore
+  target:
+    name: argo-server-sso
+    template:
+      metadata:
+        labels:
+          app.kubernetes.io/part-of: argo-workflows
+  data:
+    - secretKey: client-id
+      remoteRef:
+        key: secrets/managed/argo-workflows/dex-sso
+        property: client-id
+    - secretKey: client-secret
+      remoteRef:
+        key: secrets/managed/argo-workflows/dex-sso
+        property: client-secret

k8s-peterg/argocd/patches/configmap.yaml

@@ -23,6 +23,12 @@ data:
           - profile
           - email
           - groups
+    staticClients:
+    - name: Argo Workflows
+      id: argo-workflows-sso
+      redirectURIs:
+        - https://workflows.peterg.nl/oauth2/callback
+      secretEnv: ARGO_WORKFLOWS_SSO_CLIENT_SECRET
 ---
 apiVersion: v1
 kind: ConfigMap

k8s-peterg/argocd/patches/deployments.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: argocd-dex-server
+spec:
+  template:
+    spec:
+      containers:
+        - name: dex
+          env:
+            - name: ARGO_WORKFLOWS_SSO_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: argo-workflows-sso
+                  key: client-secret