sso for argocd

infrastructure/argocd/argocd-oauth.configmap.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cm
+data:
+  url: https://argocd.kluster.moll.re
+
+  oidc.config: |
+    name: Authelia
+    issuer: https://auth.kluster.moll.re
+    clientID: argocd
+    # If you want to store sensitive data in another Kubernetes Secret, instead of argocd-secret. ArgoCD knows to check the keys under data in your Kubernetes Secret for a corresponding key whenever a value in a configmap or secret starts with $, then your Kubernetes Secret name and : (colon).
+    clientSecret: $argocd-oauth:client-secret
+
+    skipAudienceCheckWhenTokenHasNoAudience: true
+
+    # Optional set of OIDC scopes to request. If omitted, defaults to: ["openid", "profile", "email", "groups"]
+    requestedScopes: ["openid", "profile", "email", "groups"]
+
+    # Optional set of OIDC claims to request on the ID token.
+    requestedIDTokenClaims: {"groups": {"essential": true}}

infrastructure/argocd/argocd-oauth.sealedsecret.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: argocd-oauth
+  namespace: argocd
+spec:
+  encryptedData:
+    client-secret: AgAGtwiMd6OOz2IT2QJJR6unSYgLqNVJCb63a6hHko749nK8Kx1WgLwCYT/UURQYUusqMMPkNqbkA+jLUgh92fa7MKhtj4GysSvWavB+j8oFWT3YZbNcYNoJsTxg8mIRKiMFmp5um703e5RtGCv7eiOWdVtHftVv1BycPVeVHUuLU5usc8lmgnTTEPiRUEUB8MjGd7bIEgJ9q5oAiRTiwefickS1NgC02K2K8hVAhG/VkP0lqYn0xYgsy4W4i/7Q7AxRxCwX3y23spjXNUCRJRYvgF7Cf+MHdBgk6xPtvJF3jDLJfw8H2ilUx0GaxkESCDIE/FSVlbhMXmUdVYB9SLVo9K/tzqHe536ufGWO+U7H92mhZl5oZcA7qP9iXLUy13sAY/slixbKT6y4BJ3Tnt/pK1IydASsOE/uuwuN5q6AHWvG++DSHEPfE8xOH3bRVph8aIJD9hi8UlH7KGlEDPIaY3twpaJDUweaGVRTEnjvxW/hKfp2SF8A0PtGDeKSSii/XBZjxjROdOvE2+xM/WTVdVqddvErzogEKfljMvb5Z4OQiNj7fFvFMVuRD55To8p/cYZu+KHx+D8tuUMH3zk6AdADs/0bjI0xAz3PJUAmVp4RE4k0vP8LAImF5rWkIyVUcvJmP8S90jf0d7usJaEFd1ZayFLyUnwGAkP8ua2RiupnNUrZ/49A31cGm1RCpw00DGEJ/5VK6VMP1+T4KOUP5pB90FUYVHUv6S8dAg==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: argocd-oauth
+      namespace: argocd
+    type: Opaque

infrastructure/argocd/kustomization.yaml

@@ -8,8 +8,10 @@ resources:
   - ingress.yaml
   - argo-apps.application.yaml
   - bootstrap-repo.sealedsecret.yaml
+  - argocd-oauth.sealedsecret.yaml
 
 
 patches:
   - path: known-hosts.configmap.yaml
   - path: argocd.configmap.yaml
+  - path: argocd-oauth.configmap.yaml