Erich Blume
405fc59c12
## Summary - Add Authentik OAuth2 provider + application blueprint for ArgoCD (ringtail side) - Add OIDC config to ArgoCD ConfigMap with Authentik as identity provider (indri side) - Map Authentik `admins` group to ArgoCD `role:admin` via RBAC policy - ExternalSecrets on both sides pull `argocd-client-secret` from 1Password - Local admin password remains as break-glass — both login methods coexist ## Pre-deployment manual step Add `argocd-client-secret` field to "Authentik (blumeops)" in 1Password with a random value (e.g., `openssl rand -hex 32`). ## Deployment order 1. Sync Authentik app on ringtail first (blueprint + secret + worker env var) 2. Sync ArgoCD app on indri second (cm, rbac, ExternalSecret) ## Verification - [ ] `argocd-client-secret` field added to 1Password - [ ] Authentik app synced on ringtail — blueprint applied, provider created - [ ] ArgoCD app synced on indri — OIDC config applied - [ ] SSO login works: visit `https://argocd.ops.eblu.me` → "Log in via Authentik" → admin access - [ ] Break-glass: local admin/password login still works Reviewed-on: #284
59 lines
1.6 KiB
YAML
59 lines
1.6 KiB
YAML
---
|
|
apiVersion: external-secrets.io/v1
|
|
kind: ExternalSecret
|
|
metadata:
|
|
name: authentik-config
|
|
namespace: authentik
|
|
spec:
|
|
refreshInterval: 1h
|
|
secretStoreRef:
|
|
kind: ClusterSecretStore
|
|
name: onepassword-blumeops
|
|
target:
|
|
name: authentik-config
|
|
creationPolicy: Owner
|
|
data:
|
|
- secretKey: secret-key
|
|
remoteRef:
|
|
key: "Authentik (blumeops)"
|
|
property: secret-key
|
|
- secretKey: postgresql-host
|
|
remoteRef:
|
|
key: "Authentik (blumeops)"
|
|
property: postgresql-host
|
|
- secretKey: postgresql-port
|
|
remoteRef:
|
|
key: "Authentik (blumeops)"
|
|
property: postgresql-port
|
|
- secretKey: postgresql-name
|
|
remoteRef:
|
|
key: "Authentik (blumeops)"
|
|
property: postgresql-name
|
|
- secretKey: postgresql-user
|
|
remoteRef:
|
|
key: "Authentik (blumeops)"
|
|
property: postgresql-user
|
|
- secretKey: postgresql-password
|
|
remoteRef:
|
|
key: "Authentik (blumeops)"
|
|
property: postgresql-password
|
|
- secretKey: grafana-client-secret
|
|
remoteRef:
|
|
key: "Authentik (blumeops)"
|
|
property: grafana-client-secret
|
|
- secretKey: forgejo-client-secret
|
|
remoteRef:
|
|
key: "Authentik (blumeops)"
|
|
property: forgejo-client-secret
|
|
- secretKey: zot-client-secret
|
|
remoteRef:
|
|
key: "Authentik (blumeops)"
|
|
property: zot-client-secret
|
|
- secretKey: jellyfin-client-secret
|
|
remoteRef:
|
|
key: "Authentik (blumeops)"
|
|
property: jellyfin-client-secret
|
|
- secretKey: argocd-client-secret
|
|
remoteRef:
|
|
key: "Authentik (blumeops)"
|
|
property: argocd-client-secret
|