blumeops

History

Erich Blume 405fc59c12 Add Authentik OIDC login for ArgoCD (#284 ) ## Summary - Add Authentik OAuth2 provider + application blueprint for ArgoCD (ringtail side) - Add OIDC config to ArgoCD ConfigMap with Authentik as identity provider (indri side) - Map Authentik `admins` group to ArgoCD `role:admin` via RBAC policy - ExternalSecrets on both sides pull `argocd-client-secret` from 1Password - Local admin password remains as break-glass — both login methods coexist ## Pre-deployment manual step Add `argocd-client-secret` field to "Authentik (blumeops)" in 1Password with a random value (e.g., `openssl rand -hex 32`). ## Deployment order 1. Sync Authentik app on ringtail first (blueprint + secret + worker env var) 2. Sync ArgoCD app on indri second (cm, rbac, ExternalSecret) ## Verification - [ ] `argocd-client-secret` field added to 1Password - [ ] Authentik app synced on ringtail — blueprint applied, provider created - [ ] ArgoCD app synced on indri — OIDC config applied - [ ] SSO login works: visit `https://argocd.ops.eblu.me` → "Log in via Authentik" → admin access - [ ] Break-glass: local admin/password login still works Reviewed-on: #284		2026-03-05 09:07:25 -08:00
..
changelog.d	Add Authentik OIDC login for ArgoCD (#284 )	2026-03-05 09:07:25 -08:00
explanation	Integrate Forgejo with Authentik OIDC (#228 )	2026-02-20 17:39:50 -08:00
how-to	Review migrate-forgejo-from-brew doc, fix stale Phase 3 reference	2026-03-05 08:29:58 -08:00
reference	Bump kiwix-serve from 3.8.1 to 3.8.2	2026-03-05 08:12:32 -08:00
tutorials	Retire plans directory, convert migrate-forgejo-from-brew to mikado card	2026-03-04 20:28:14 -08:00
index.md	Expose Forgejo publicly at forge.eblu.me (#278 )	2026-03-03 08:40:41 -08:00
quartz.config.ts	Move zk cards to docs/zk/ for documentation restructuring (#84 )	2026-02-03 09:13:50 -08:00
quartz.layout.ts	Expose Forgejo publicly at forge.eblu.me (#278 )	2026-03-03 08:40:41 -08:00