Add Authentik OIDC login for ArgoCD (#284)

## Summary - Add Authentik OAuth2 provider + application blueprint for ArgoCD (ringtail side) - Add OIDC config to ArgoCD ConfigMap with Authentik as identity provider (indri side) - Map Authentik `admins` group to ArgoCD `role:admin` via RBAC policy - ExternalSecrets on both sides pull `argocd-client-secret` from 1Password - Local admin password remains as break-glass — both login methods coexist ## Pre-deployment manual step Add `argocd-client-secret` field to "Authentik (blumeops)" in 1Password with a random value (e.g., `openssl rand -hex 32`). ## Deployment order 1. Sync Authentik app on ringtail first (blueprint + secret + worker env var) 2. Sync ArgoCD app on indri second (cm, rbac, ExternalSecret) ## Verification - [ ] `argocd-client-secret` field added to 1Password - [ ] Authentik app synced on ringtail — blueprint applied, provider created - [ ] ArgoCD app synced on indri — OIDC config applied - [ ] SSO login works: visit `https://argocd.ops.eblu.me` → "Log in via Authentik" → admin access - [ ] Break-glass: local admin/password login still works Reviewed-on: #284
2026-03-05 09:07:25 -08:00 · 2026-03-05 09:07:25 -08:00 · 405fc59c12
commit 405fc59c12
parent c029e5851a
8 changed files with 115 additions and 6 deletions
--- a/argocd/manifests/authentik/configmap-blueprint.yaml
+++ b/argocd/manifests/authentik/configmap-blueprint.yaml
@ -246,6 +246,64 @@ data:
          negate: false
          timeout: 30

+  argocd.yaml: |
+    version: 1
+    metadata:
+      name: BlumeOps ArgoCD SSO
+      labels:
+        blueprints.goauthentik.io/description: "ArgoCD OIDC provider and application"
+    entries:
+      # OAuth2 provider for ArgoCD
+      - model: authentik_providers_oauth2.oauth2provider
+        id: argocd-provider
+        identifiers:
+          name: ArgoCD
+        attrs:
+          name: ArgoCD
+          authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+          invalidation_flow: !Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
+          client_type: confidential
+          client_id: argocd
+          client_secret: !Env AUTHENTIK_ARGOCD_CLIENT_SECRET
+          redirect_uris:
+            - matching_mode: strict
+              url: https://argocd.ops.eblu.me/auth/callback
+            - matching_mode: strict
+              url: https://argocd.tail8d86e.ts.net/auth/callback
+          signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+          property_mappings:
+            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+            - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+          sub_mode: hashed_user_id
+          include_claims_in_id_token: true
+
+      # ArgoCD application — linked to the OAuth2 provider
+      - model: authentik_core.application
+        id: argocd-app
+        identifiers:
+          slug: argocd
+        attrs:
+          name: ArgoCD
+          slug: argocd
+          provider: !KeyOf argocd-provider
+          meta_launch_url: https://argocd.ops.eblu.me
+          policy_engine_mode: any
+
+      # Policy binding — restrict ArgoCD to admins group
+      - model: authentik_policies.policybinding
+        identifiers:
+          order: 0
+          target: !KeyOf argocd-app
+          group: !Find [authentik_core.group, [name, admins]]
+        attrs:
+          target: !KeyOf argocd-app
+          group: !Find [authentik_core.group, [name, admins]]
+          order: 0
+          enabled: true
+          negate: false
+          timeout: 30
+
  jellyfin.yaml: |
    version: 1
    metadata:
--- a/argocd/manifests/authentik/deployment-worker.yaml
+++ b/argocd/manifests/authentik/deployment-worker.yaml
@ -73,6 +73,11 @@ spec:
                secretKeyRef:
                  name: authentik-config
                  key: jellyfin-client-secret
+            - name: AUTHENTIK_ARGOCD_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: authentik-config
+                  key: argocd-client-secret
          volumeMounts:
            - name: blueprints
              mountPath: /blueprints/custom
--- a/argocd/manifests/authentik/external-secret.yaml
+++ b/argocd/manifests/authentik/external-secret.yaml
@ -53,3 +53,7 @@ spec:
      remoteRef:
        key: "Authentik (blumeops)"
        property: jellyfin-client-secret
+    - secretKey: argocd-client-secret
+      remoteRef:
+        key: "Authentik (blumeops)"
+        property: argocd-client-secret