eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

C0: docs — default argocd login to --sso; drop extraneous --grpc-web

Browse source 
Now that argocd's Authentik OAuth2 client is public, `argocd login --sso`
works for day-to-day use. Promote it to the default in AGENTS.md,
argocd-cli reference, and troubleshooting; keep the admin/password flow
documented as a break-glass fallback for when Authentik is unavailable.

Also drops --grpc-web from every interactive login command — confirmed
extraneous (login succeeds without it). Left in CI workflows and
`argocd cluster add` untouched; those are different contexts that I
didn't re-test.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Erich Blume 2026-04-21 10:43:21 -07:00
commit 7d94b9073a
5 changed files with 23 additions and 20 deletions
Download patch file Download diff file Expand all files Collapse all files

2
AGENTS.md
View file

@ -86,7 +86,7 @@ Most services run in minikube on indri via ArgoCD (app-of-apps, manual sync). GP
**Commands:** `argocd app list|get|diff|sync <app>` **Commands:** `argocd app list|get|diff|sync <app>`
**Login:** `argocd login argocd.ops.eblu.me --username admin --password "$(op read 'op://vg6xf6vvfmoh5hqjjhlhbeoaie/srogeebssulhtb6tnqd7ls6qey/password')"` **Login:** `argocd login argocd.ops.eblu.me --sso` (opens browser for Authentik SSO). Admin fallback for break-glass: `argocd login argocd.ops.eblu.me --username admin --password "$(op read 'op://vg6xf6vvfmoh5hqjjhlhbeoaie/srogeebssulhtb6tnqd7ls6qey/password')"`
### Indri (Ansible) ### Indri (Ansible)

4
argocd/manifests/argocd/README.md
View file

@ -25,7 +25,7 @@ kubectl wait --for=condition=available deployment/argocd-server -n argocd --time
kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d && echo kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d && echo
# 5. Login and change password # 5. Login and change password
argocd login argocd.tail8d86e.ts.net --username admin --grpc-web argocd login argocd.tail8d86e.ts.net --username admin
argocd account update-password argocd account update-password
# 6. Apply repo-creds-forge credential template for SSH access to all forge repos # 6. Apply repo-creds-forge credential template for SSH access to all forge repos
@ -114,4 +114,4 @@ spec:
Future improvement: integrate with a secrets operator (e.g., External Secrets). Future improvement: integrate with a secrets operator (e.g., External Secrets).
- The credential template (`repo-creds`) uses a URL prefix to match all repos on forge. - The credential template (`repo-creds`) uses a URL prefix to match all repos on forge.
- ArgoCD uses Tailscale Ingress with Let's Encrypt for TLS termination. - ArgoCD uses Tailscale Ingress with Let's Encrypt for TLS termination.
- The `--grpc-web` flag is required for CLI access through the Tailscale ingress. - After Authentik is up, prefer `argocd login argocd.ops.eblu.me --sso` over the admin password login above; admin is only needed during bootstrap or as break-glass.

24
docs/how-to/operations/rebuild-minikube-cluster.md
View file

@ -108,18 +108,13 @@ kubectl --context=minikube-indri apply -f argocd/apps/apps.yaml
# 6. Login and sync apps # 6. Login and sync apps
argocd login argocd.tail8d86e.ts.net --username admin \ argocd login argocd.tail8d86e.ts.net --username admin \
--password "$(kubectl --context=minikube-indri -n argocd get secret argocd-initial-admin-secret -o jsonpath='{.data.password}' | base64 -d)" \ --password "$(kubectl --context=minikube-indri -n argocd get secret argocd-initial-admin-secret -o jsonpath='{.data.password}' | base64 -d)" \
--grpc-web argocd app sync apps```
argocd app sync apps --grpc-web
```
## Phase 4: Bootstrap 1Password Connect + External Secrets ## Phase 4: Bootstrap 1Password Connect + External Secrets
```bash ```bash
# 1. Sync foundation # 1. Sync foundation
argocd app sync external-secrets-crds --grpc-web argocd app sync external-secrets-crdsargocd app sync external-secretsargocd app sync 1password-connect
argocd app sync external-secrets --grpc-web
argocd app sync 1password-connect --grpc-web
# 2. Create 1Password Connect secrets manually # 2. Create 1Password Connect secrets manually
CREDS_RAW=$(op read "op://blumeops/1Password Connect/credentials-file") CREDS_RAW=$(op read "op://blumeops/1Password Connect/credentials-file")
echo "$CREDS_RAW" | kubectl --context=minikube-indri create secret generic op-credentials -n 1password \ echo "$CREDS_RAW" | kubectl --context=minikube-indri create secret generic op-credentials -n 1password \
@ -140,25 +135,20 @@ kubectl --context=minikube-indri get clustersecretstores
```bash ```bash
# Foundation (CRDs, operators) # Foundation (CRDs, operators)
argocd app sync cloudnative-pg kube-state-metrics --grpc-web argocd app sync cloudnative-pg kube-state-metrics
# Databases # Databases
argocd app sync blumeops-pg --grpc-web argocd app sync blumeops-pg
# Observability # Observability
argocd app sync loki prometheus tempo grafana grafana-config --grpc-web argocd app sync loki prometheus tempo grafana grafana-config
# Register ringtail cluster (for authentik, ntfy, ollama, frigate) # Register ringtail cluster (for authentik, ntfy, ollama, frigate)
ssh ringtail 'sudo cat /etc/rancher/k3s/k3s.yaml' | \ ssh ringtail 'sudo cat /etc/rancher/k3s/k3s.yaml' | \
sed 's|127.0.0.1|ringtail.tail8d86e.ts.net|' > /tmp/k3s-ringtail.yaml sed 's|127.0.0.1|ringtail.tail8d86e.ts.net|' > /tmp/k3s-ringtail.yaml
KUBECONFIG=/tmp/k3s-ringtail.yaml argocd cluster add default --name k3s-ringtail --grpc-web -y KUBECONFIG=/tmp/k3s-ringtail.yaml argocd cluster add default --name k3s-ringtail --grpc-web -y
# Authentik (critical — Zot OIDC depends on it, most image pulls depend on Zot) # Authentik (critical — Zot OIDC depends on it, most image pulls depend on Zot)
argocd app sync authentik --grpc-web argocd app sync authentik
# Everything else # Everything else
argocd app sync tailscale-operator alloy-k8s --grpc-web argocd app sync tailscale-operator alloy-k8s# ... remaining apps
# ... remaining apps
``` ```
## Phase 6: Restore Databases from Borgmatic ## Phase 6: Restore Databases from Borgmatic

5
docs/how-to/operations/troubleshooting.md
View file

@ -72,6 +72,11 @@ kubectl --context=minikube-indri -n <namespace> get pods --field-selector=status
**ArgoCD login expired:** **ArgoCD login expired:**
```bash ```bash
argocd login argocd.ops.eblu.me --sso
```
If Authentik itself is down, fall back to admin:
```bash
argocd login argocd.ops.eblu.me --username admin --password "$(op read 'op://vg6xf6vvfmoh5hqjjhlhbeoaie/srogeebssulhtb6tnqd7ls6qey/password')" argocd login argocd.ops.eblu.me --username admin --password "$(op read 'op://vg6xf6vvfmoh5hqjjhlhbeoaie/srogeebssulhtb6tnqd7ls6qey/password')"
``` ```

8
docs/reference/tools/argocd-cli.md
View file

@ -24,6 +24,14 @@ argocd app sync apps # Sync the app-of-apps (picks up new Application
## Login ## Login
Default (Authentik SSO, PKCE, opens browser):
```bash
argocd login argocd.ops.eblu.me --sso
```
Break-glass admin login (only if Authentik is down):
```bash ```bash
argocd login argocd.ops.eblu.me \ argocd login argocd.ops.eblu.me \
--username admin \ --username admin \