Added argocd

2025-04-12 13:18:15 +01:00
parent fa24633168
commit 61754a9666
3 changed files with 28 additions and 26 deletions
--- a/k8s/core/argocd/external-secrets.yaml
+++ b/k8s/core/argocd/external-secrets.yaml
@ -10,9 +10,12 @@ spec:
    deletionPolicy: Delete
    template:
      type: Opaque
      metadata:
        labels:
          app.kubernetes.io/part-of: argocd
      data:
-        dex.authentik.clientID: "{{ .client_id | quote }}"
+        id: "{{ .client_id | quote }}"
-        dex.authentik.clientSecret: "{{ .client_secret | quote }}"
+        secret: "{{ .client_secret | quote }}"
  data:
    - secretKey: client_id
      sourceRef:
--- a/k8s/core/argocd/kustomization.yaml
+++ b/k8s/core/argocd/kustomization.yaml
@ -4,7 +4,7 @@ kind: Kustomization
 resources:
  - app.yaml
  - ingress.yaml
-# - external-secrets.yaml
+  - external-secrets.yaml
 helmCharts:
  - name: argo-cd
--- a/k8s/core/argocd/values.yaml
+++ b/k8s/core/argocd/values.yaml
@ -19,16 +19,13 @@ configs:
    application.instanceLabelKey: argocd.argoproj.io/instance
    admin.enabled: true
    timeout.reconciliation: 60s
-    dex.config: |
+    oidc.config: |
-      connectors:
+      name: Authentik
-        - type: oidc
+      issuer: https://idm.hexor.cy/application/o/argocd/
-          id: authentik
+      clientID: $oidc-creds:id
-          name: Authentik
+      clientSecret: $oidc-creds:secret
-          config:
+      requestedScopes: ["openid", "profile", "email", "groups"]
-            issuer: https://auth.hexor.cy/application/o/argocd/
+      requestedIDTokenClaims: {"groups": {"essential": true}}
            clientID: $dex.authentik.clientID
            clientSecret: $dex.authentik.clientSecret
            redirectURI: https://ag.hexor.cy/api/dex/callback
  rbac:
    create: true
    policy.default: ""
@ -38,26 +35,19 @@ configs:
  secret:
    createSecret: true
    argocdServerAdminPassword: "" # <--- SET BCRYPT HASH HERE OR MANAGE EXTERNALLY
    extra:
      dex.authentik.clientID:
        valueFrom:
          secretKeyRef:
            name: oidc-creds
            key: client-id
      dex.authentik.clientSecret:
        valueFrom:
          secretKeyRef:
            name: oidc-creds
            key: client-secret
 controller:
  replicas: 1
  nodeSelector:
    kubernetes.io/hostname: master.tail2fe2d.ts.net
  # Add resources (requests/limits), PDB etc. if needed
 # Dex OIDC provider
 dex:
-  enabled: true # Keep enabled unless using external OIDC/SAML directly
+  replicas: 1
-  # Add resources, PDB etc. if needed
+  nodeSelector:
    kubernetes.io/hostname: master.tail2fe2d.ts.net
  enabled: false
 # Standard Redis disabled because Redis HA is enabled
 redis:
@ -78,6 +68,8 @@ redis-ha:
 # Argo CD Server (API and UI)
 server:
  replicas: 1
  nodeSelector:
    kubernetes.io/hostname: master.tail2fe2d.ts.net
  ingress:
    enabled: false
@ -90,15 +82,22 @@ server:
 # Repository Server
 repoServer:
  replicas: 1
  nodeSelector:
    kubernetes.io/hostname: master.tail2fe2d.ts.net
  # Add resources (requests/limits), PDB etc. if needed
 # ApplicationSet Controller
 applicationSet:
  enabled: true # Enabled by default
  replicas: 1
  nodeSelector:
    kubernetes.io/hostname: master.tail2fe2d.ts.net
  # Add resources (requests/limits), PDB etc. if needed
 # Notifications Controller
 notifications:
  enabled: true # Enabled by default
  replicas: 1
  nodeSelector:
    kubernetes.io/hostname: master.tail2fe2d.ts.net
  # Add notifiers, triggers, templates configurations if needed