eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/argocd/manifests/authentik/deployment-worker.yaml
Erich Blume 405fc59c12 Add Authentik OIDC login for ArgoCD (#284) 
## Summary
- Add Authentik OAuth2 provider + application blueprint for ArgoCD (ringtail side)
- Add OIDC config to ArgoCD ConfigMap with Authentik as identity provider (indri side)
- Map Authentik `admins` group to ArgoCD `role:admin` via RBAC policy
- ExternalSecrets on both sides pull `argocd-client-secret` from 1Password
- Local admin password remains as break-glass — both login methods coexist

## Pre-deployment manual step
Add `argocd-client-secret` field to "Authentik (blumeops)" in 1Password with a random value (e.g., `openssl rand -hex 32`).

## Deployment order
1. Sync Authentik app on ringtail first (blueprint + secret + worker env var)
2. Sync ArgoCD app on indri second (cm, rbac, ExternalSecret)

## Verification
- [ ] `argocd-client-secret` field added to 1Password
- [ ] Authentik app synced on ringtail — blueprint applied, provider created
- [ ] ArgoCD app synced on indri — OIDC config applied
- [ ] SSO login works: visit `https://argocd.ops.eblu.me` → "Log in via Authentik" → admin access
- [ ] Break-glass: local admin/password login still works

Reviewed-on: #284
2026-03-05 09:07:25 -08:00

95 lines
2.9 KiB
YAML
Raw Blame History

---
apiVersion: apps/v1
kind: Deployment
metadata:
name: authentik-worker
namespace: authentik
spec:
replicas: 1
selector:
matchLabels:
app: authentik
component: worker
template:
metadata:
labels:
app: authentik
component: worker
spec:
containers:
- name: worker
image: registry.ops.eblu.me/blumeops/authentik
args: ["worker"]
env:
- name: AUTHENTIK_SECRET_KEY
valueFrom:
secretKeyRef:
name: authentik-config
key: secret-key
- name: AUTHENTIK_POSTGRESQL__HOST
valueFrom:
secretKeyRef:
name: authentik-config
key: postgresql-host
- name: AUTHENTIK_POSTGRESQL__PORT
valueFrom:
secretKeyRef:
name: authentik-config
key: postgresql-port
- name: AUTHENTIK_POSTGRESQL__NAME
valueFrom:
secretKeyRef:
name: authentik-config
key: postgresql-name
- name: AUTHENTIK_POSTGRESQL__USER
valueFrom:
secretKeyRef:
name: authentik-config
key: postgresql-user
- name: AUTHENTIK_POSTGRESQL__PASSWORD
valueFrom:
secretKeyRef:
name: authentik-config
key: postgresql-password
- name: AUTHENTIK_REDIS__HOST
value: authentik-redis
- name: AUTHENTIK_GRAFANA_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: authentik-config
key: grafana-client-secret
- name: AUTHENTIK_FORGEJO_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: authentik-config
key: forgejo-client-secret
- name: AUTHENTIK_ZOT_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: authentik-config
key: zot-client-secret
- name: AUTHENTIK_JELLYFIN_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: authentik-config
key: jellyfin-client-secret
- name: AUTHENTIK_ARGOCD_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: authentik-config
key: argocd-client-secret
volumeMounts:
- name: blueprints
mountPath: /blueprints/custom
readOnly: true
resources:
requests:
memory: "256Mi"
cpu: "100m"
limits:
memory: "1Gi"
cpu: "1000m"
volumes:
- name: blueprints
configMap:
name: authentik-blueprints
Reference in a new issue View git blame Copy permalink