From 7d94b9073ae3230e78901f5b95351bf0f4fe6016 Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Tue, 21 Apr 2026 10:43:21 -0700 Subject: [PATCH] =?UTF-8?q?C0:=20docs=20=E2=80=94=20default=20argocd=20log?= =?UTF-8?q?in=20to=20--sso;=20drop=20extraneous=20--grpc-web?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Now that argocd's Authentik OAuth2 client is public, `argocd login --sso` works for day-to-day use. Promote it to the default in AGENTS.md, argocd-cli reference, and troubleshooting; keep the admin/password flow documented as a break-glass fallback for when Authentik is unavailable. Also drops --grpc-web from every interactive login command — confirmed extraneous (login succeeds without it). Left in CI workflows and `argocd cluster add` untouched; those are different contexts that I didn't re-test. Co-Authored-By: Claude Opus 4.7 (1M context) --- AGENTS.md | 2 +- argocd/manifests/argocd/README.md | 4 ++-- .../operations/rebuild-minikube-cluster.md | 24 ++++++------------- docs/how-to/operations/troubleshooting.md | 5 ++++ docs/reference/tools/argocd-cli.md | 8 +++++++ 5 files changed, 23 insertions(+), 20 deletions(-) diff --git a/AGENTS.md b/AGENTS.md index 80f9852..9e7350d 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -86,7 +86,7 @@ Most services run in minikube on indri via ArgoCD (app-of-apps, manual sync). GP **Commands:** `argocd app list|get|diff|sync ` -**Login:** `argocd login argocd.ops.eblu.me --username admin --password "$(op read 'op://vg6xf6vvfmoh5hqjjhlhbeoaie/srogeebssulhtb6tnqd7ls6qey/password')"` +**Login:** `argocd login argocd.ops.eblu.me --sso` (opens browser for Authentik SSO). Admin fallback for break-glass: `argocd login argocd.ops.eblu.me --username admin --password "$(op read 'op://vg6xf6vvfmoh5hqjjhlhbeoaie/srogeebssulhtb6tnqd7ls6qey/password')"` ### Indri (Ansible) diff --git a/argocd/manifests/argocd/README.md b/argocd/manifests/argocd/README.md index 615e3bb..2eaf4d4 100644 --- a/argocd/manifests/argocd/README.md +++ b/argocd/manifests/argocd/README.md @@ -25,7 +25,7 @@ kubectl wait --for=condition=available deployment/argocd-server -n argocd --time kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d && echo # 5. Login and change password -argocd login argocd.tail8d86e.ts.net --username admin --grpc-web +argocd login argocd.tail8d86e.ts.net --username admin argocd account update-password # 6. Apply repo-creds-forge credential template for SSH access to all forge repos @@ -114,4 +114,4 @@ spec: Future improvement: integrate with a secrets operator (e.g., External Secrets). - The credential template (`repo-creds`) uses a URL prefix to match all repos on forge. - ArgoCD uses Tailscale Ingress with Let's Encrypt for TLS termination. -- The `--grpc-web` flag is required for CLI access through the Tailscale ingress. +- After Authentik is up, prefer `argocd login argocd.ops.eblu.me --sso` over the admin password login above; admin is only needed during bootstrap or as break-glass. diff --git a/docs/how-to/operations/rebuild-minikube-cluster.md b/docs/how-to/operations/rebuild-minikube-cluster.md index ad64c89..e23d027 100644 --- a/docs/how-to/operations/rebuild-minikube-cluster.md +++ b/docs/how-to/operations/rebuild-minikube-cluster.md @@ -108,18 +108,13 @@ kubectl --context=minikube-indri apply -f argocd/apps/apps.yaml # 6. Login and sync apps argocd login argocd.tail8d86e.ts.net --username admin \ --password "$(kubectl --context=minikube-indri -n argocd get secret argocd-initial-admin-secret -o jsonpath='{.data.password}' | base64 -d)" \ - --grpc-web -argocd app sync apps --grpc-web -``` + argocd app sync apps``` ## Phase 4: Bootstrap 1Password Connect + External Secrets ```bash # 1. Sync foundation -argocd app sync external-secrets-crds --grpc-web -argocd app sync external-secrets --grpc-web -argocd app sync 1password-connect --grpc-web - +argocd app sync external-secrets-crdsargocd app sync external-secretsargocd app sync 1password-connect # 2. Create 1Password Connect secrets manually CREDS_RAW=$(op read "op://blumeops/1Password Connect/credentials-file") echo "$CREDS_RAW" | kubectl --context=minikube-indri create secret generic op-credentials -n 1password \ @@ -140,25 +135,20 @@ kubectl --context=minikube-indri get clustersecretstores ```bash # Foundation (CRDs, operators) -argocd app sync cloudnative-pg kube-state-metrics --grpc-web - +argocd app sync cloudnative-pg kube-state-metrics # Databases -argocd app sync blumeops-pg --grpc-web - +argocd app sync blumeops-pg # Observability -argocd app sync loki prometheus tempo grafana grafana-config --grpc-web - +argocd app sync loki prometheus tempo grafana grafana-config # Register ringtail cluster (for authentik, ntfy, ollama, frigate) ssh ringtail 'sudo cat /etc/rancher/k3s/k3s.yaml' | \ sed 's|127.0.0.1|ringtail.tail8d86e.ts.net|' > /tmp/k3s-ringtail.yaml KUBECONFIG=/tmp/k3s-ringtail.yaml argocd cluster add default --name k3s-ringtail --grpc-web -y # Authentik (critical — Zot OIDC depends on it, most image pulls depend on Zot) -argocd app sync authentik --grpc-web - +argocd app sync authentik # Everything else -argocd app sync tailscale-operator alloy-k8s --grpc-web -# ... remaining apps +argocd app sync tailscale-operator alloy-k8s# ... remaining apps ``` ## Phase 6: Restore Databases from Borgmatic diff --git a/docs/how-to/operations/troubleshooting.md b/docs/how-to/operations/troubleshooting.md index 63dc79a..84301c3 100644 --- a/docs/how-to/operations/troubleshooting.md +++ b/docs/how-to/operations/troubleshooting.md @@ -72,6 +72,11 @@ kubectl --context=minikube-indri -n get pods --field-selector=status **ArgoCD login expired:** ```bash +argocd login argocd.ops.eblu.me --sso +``` + +If Authentik itself is down, fall back to admin: +```bash argocd login argocd.ops.eblu.me --username admin --password "$(op read 'op://vg6xf6vvfmoh5hqjjhlhbeoaie/srogeebssulhtb6tnqd7ls6qey/password')" ``` diff --git a/docs/reference/tools/argocd-cli.md b/docs/reference/tools/argocd-cli.md index 7a60490..a2aa223 100644 --- a/docs/reference/tools/argocd-cli.md +++ b/docs/reference/tools/argocd-cli.md @@ -24,6 +24,14 @@ argocd app sync apps # Sync the app-of-apps (picks up new Application ## Login +Default (Authentik SSO, PKCE, opens browser): + +```bash +argocd login argocd.ops.eblu.me --sso +``` + +Break-glass admin login (only if Authentik is down): + ```bash argocd login argocd.ops.eblu.me \ --username admin \