eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Add Authentik OIDC login for ArgoCD #284

Merged
eblume merged 1 commit from feature/argocd-authentik-oidc into main 2026-03-05 09:07:26 -08:00
Conversation 0 Commits 1 Files changed 8 +115 -6
eblume commented 2026-03-05 08:44:23 -08:00
Owner
Copy link

Summary

  • Add Authentik OAuth2 provider + application blueprint for ArgoCD (ringtail side)
  • Add OIDC config to ArgoCD ConfigMap with Authentik as identity provider (indri side)
  • Map Authentik admins group to ArgoCD role:admin via RBAC policy
  • ExternalSecrets on both sides pull argocd-client-secret from 1Password
  • Local admin password remains as break-glass — both login methods coexist

Pre-deployment manual step

Add argocd-client-secret field to "Authentik (blumeops)" in 1Password with a random value (e.g., openssl rand -hex 32).

Deployment order

  1. Sync Authentik app on ringtail first (blueprint + secret + worker env var)
  2. Sync ArgoCD app on indri second (cm, rbac, ExternalSecret)

Verification

  • argocd-client-secret field added to 1Password
  • Authentik app synced on ringtail — blueprint applied, provider created
  • ArgoCD app synced on indri — OIDC config applied
  • SSO login works: visit https://argocd.ops.eblu.me → "Log in via Authentik" → admin access
  • Break-glass: local admin/password login still works
## Summary - Add Authentik OAuth2 provider + application blueprint for ArgoCD (ringtail side) - Add OIDC config to ArgoCD ConfigMap with Authentik as identity provider (indri side) - Map Authentik `admins` group to ArgoCD `role:admin` via RBAC policy - ExternalSecrets on both sides pull `argocd-client-secret` from 1Password - Local admin password remains as break-glass — both login methods coexist ## Pre-deployment manual step Add `argocd-client-secret` field to "Authentik (blumeops)" in 1Password with a random value (e.g., `openssl rand -hex 32`). ## Deployment order 1. Sync Authentik app on ringtail first (blueprint + secret + worker env var) 2. Sync ArgoCD app on indri second (cm, rbac, ExternalSecret) ## Verification - [ ] `argocd-client-secret` field added to 1Password - [ ] Authentik app synced on ringtail — blueprint applied, provider created - [ ] ArgoCD app synced on indri — OIDC config applied - [ ] SSO login works: visit `https://argocd.ops.eblu.me` → "Log in via Authentik" → admin access - [ ] Break-glass: local admin/password login still works
Enable SSO via Authentik so eblume (admins group) gets admin access.
Local admin password remains as break-glass. Requires adding
argocd-client-secret field to "Authentik (blumeops)" 1Password item
before deploying.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
eblume merged commit 405fc59c12 into main 2026-03-05 09:07:26 -08:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
eblume/blumeops!284
No description provided.