Erich Blume
2a2ba0bcb7
Reviewed (verified against live state) and stamped last-reviewed on: - reference/services/argocd.md: SSO via Authentik (public PKCE client), dual-cluster management (minikube + ringtail k3s), corrected sync policy (everything is manual sync, including the apps root) - reference/services/authentik.md: blueprint list grown to 8 OIDC clients, postgresql-* secret fields, client-type table - reference/services/grafana.md: TeslaMate datasource now pg.ops.eblu.me:5434 (ringtail), dashboard inventory refreshed, TeslaMate dashboards via pinned-tag init container - reference/infrastructure/unifi.md: UnPoller now a locally-built image - how-to/mealie/plan-a-meal.md: procedure verified; stored API token currently returns 401 (operational fix tracked separately) AGENTS.md: replace the mandatory full ai-docs read with a find-relevant- docs-first rule (bulk ai-docs/ai-sources now opt-in), and document the heph CLI surface for reading and manipulating Blumeops tasks. agent-change-process.md updated to match. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
1.8 KiB
1.8 KiB
| title | modified | last-reviewed | tags | ||
|---|---|---|---|---|---|
| ArgoCD | 2026-06-09 | 2026-06-09 |
|
ArgoCD
GitOps continuous delivery platform for the cluster.
Quick Reference
| Property | Value |
|---|---|
| URL | https://argocd.ops.eblu.me |
| Tailscale URL | https://argocd.tail8d86e.ts.net |
| Namespace | argocd |
| Git Source | ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git |
| Manifests Path | argocd/apps/ (Applications), argocd/manifests/ (workloads) |
Clusters
A single ArgoCD instance (on indri's minikube) manages both clusters:
| Cluster | Destination | Apps |
|---|---|---|
| minikube (indri) | https://kubernetes.default.svc |
Most services |
| k3s (ringtail) | https://ringtail.tail8d86e.ts.net:6443 |
GPU workloads and *-ringtail apps |
Sync Policy
All applications use manual sync — including the apps app-of-apps root. To pick up newly added Application manifests, sync apps explicitly:
argocd app sync apps
This gives explicit control over every deployment; nothing rolls out on push alone.
Authentication
- SSO via authentik — OIDC with a public PKCE client (
argocd), shared by the web UI and CLI:argocd login argocd.ops.eblu.me --sso. The Authentikadminsgroup maps torole:adminvia the RBAC ConfigMap; the default policy grants no access. - Local admin — break-glass password in 1Password (blumeops vault), for when Authentik is down.
The git deploy key (SSH) is injected via external-secrets.
Related
- argocd-cli - CLI usage and deployment workflows
- apps - Full application registry
- forgejo - Git source
- authentik - OIDC identity provider for SSO
- federated-login - How authentication works across BlumeOps