Add authentik sso for argocd

2026-06-02 11:45:18 +00:00 · 2025-08-03 17:09:39 +02:00
parent 69307c84bb
commit a341eead5e
3 changed files with 47 additions and 3 deletions
@@ -32,3 +32,41 @@ spec:
              cert-manager.io/cluster-issuer: letsencrypt
            hostname: argocd.sdg.moe
            tls: true
+        configs:
+          cm:
+            dex.config: |
+              connectors:
+              - id: authentik
+                name: authentik
+                type: oidc
+                config:
+                  issuer: https://authentik.sdg.moe/application/o/argocd/
+                  clientID: $authentik:clientId
+                  clientSecret: $authentik:clientSecret
+                  insecureEnableGroups: true
+                  scopes:
+                    - openid
+                    - profile
+                    - email
+          rbac:
+            policy.csv: |
+              g, admins, role:admin
+              g, read-only, role:admins
+        extraObjects:
+        - apiVersion: external-secrets.io/v1
+          kind: ExternalSecret
+          metadata:
+            name: authentik
+          spec:
+            refreshInterval: 24h
+            secretStoreRef:
+              name: bitwarden
+              kind: ClusterSecretStore
+            target:
+              template:
+                metadata:
+                  labels:
+                    app.kubernetes.io/part-of: argocd
+            dataFrom:
+            - extract:
+                key: argocd-sso
@@ -63,6 +63,11 @@ spec:
              - authentik.sdg.moe
            annotations:
              cert-manager.io/cluster-issuer: letsencrypt
+              acme.cert-manager.io/http01-edit-in-place: "true"
+            tls:
+            - secretName: authentik-tls
+              hosts:
+                - authentik.sdg.moe

        redis:
          enabled: true
@@ -7,20 +7,21 @@ spec:
    bitwardensecretsmanager:
      apiURL: https://vault.bitwarden.eu/api
      identityURL: https://vault.bitwarden.eu/identity
+      organizationID: b461238b-9b93-4598-b12c-b32c00834ab6
+      projectID: b63f0f85-2c6f-4f99-b999-b32c009d7bdf
+
      auth:
        secretRef:
          credentials:
            namespace: external-secrets
            name: bitwarden-access-token
            key: token
+      bitwardenServerSDKURL: https://bitwarden-sdk-server.external-secrets.svc.cluster.local:9998
      caProvider:
        type: Secret
        namespace: external-secrets
        name: bitwarden-tls-certs
        key: ca.crt
-
-      organizationID: b461238b-9b93-4598-b12c-b32c00834ab6
-      projectID: b63f0f85-2c6f-4f99-b999-b32c009d7bdf
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate