oauth fixes

2024-10-15 18:06:33 +02:00
parent 8805fb0b78
commit fa00ff136b
8 changed files with 31 additions and 15 deletions
--- a/infrastructure/argocd/argocd-oauth.configmap.yaml
+++ b/infrastructure/argocd/argocd-oauth.configmap.yaml
@@ -19,3 +19,6 @@ data:

    # Optional set of OIDC claims to request on the ID token.
    requestedIDTokenClaims: {"groups": {"essential": true}}
+    allowedAudiences:
+    - argocd
+  
--- a/infrastructure/argocd/argocd-oauth.sealedsecret.yaml
+++ b/infrastructure/argocd/argocd-oauth.sealedsecret.yaml
@@ -7,10 +7,12 @@ metadata:
  namespace: argocd
 spec:
  encryptedData:
-    client-secret: AgAGtwiMd6OOz2IT2QJJR6unSYgLqNVJCb63a6hHko749nK8Kx1WgLwCYT/UURQYUusqMMPkNqbkA+jLUgh92fa7MKhtj4GysSvWavB+j8oFWT3YZbNcYNoJsTxg8mIRKiMFmp5um703e5RtGCv7eiOWdVtHftVv1BycPVeVHUuLU5usc8lmgnTTEPiRUEUB8MjGd7bIEgJ9q5oAiRTiwefickS1NgC02K2K8hVAhG/VkP0lqYn0xYgsy4W4i/7Q7AxRxCwX3y23spjXNUCRJRYvgF7Cf+MHdBgk6xPtvJF3jDLJfw8H2ilUx0GaxkESCDIE/FSVlbhMXmUdVYB9SLVo9K/tzqHe536ufGWO+U7H92mhZl5oZcA7qP9iXLUy13sAY/slixbKT6y4BJ3Tnt/pK1IydASsOE/uuwuN5q6AHWvG++DSHEPfE8xOH3bRVph8aIJD9hi8UlH7KGlEDPIaY3twpaJDUweaGVRTEnjvxW/hKfp2SF8A0PtGDeKSSii/XBZjxjROdOvE2+xM/WTVdVqddvErzogEKfljMvb5Z4OQiNj7fFvFMVuRD55To8p/cYZu+KHx+D8tuUMH3zk6AdADs/0bjI0xAz3PJUAmVp4RE4k0vP8LAImF5rWkIyVUcvJmP8S90jf0d7usJaEFd1ZayFLyUnwGAkP8ua2RiupnNUrZ/49A31cGm1RCpw00DGEJ/5VK6VMP1+T4KOUP5pB90FUYVHUv6S8dAg==
+    client-secret: AgBmXMtAHgooKGgj3s/ndddVxxOXqUYyGev5BeUoAYL9IYYT3yB54cQp7v1suEwVGUJQQPOgc3YDUeS5kdOLcpYi7mOi7/aJYPmUHx1DU644JsebpeqJNMFt52SCynLjP9Vntlbkji9mPCQj0tHGhqleA+3y9mamuz3tZ+kaSY4+qUywXekMQz13YQgagQc+0BK2xzUzVedNj2AB0NmCIs8oOIL1ZL0iMi/+/a1VSh/pzm3Tv/ap3w5nqP6FUbZLcL0hU6+VTa6ZqoDcIIEm5x23tDXwgbHM7CJ5E/bHu+cNrvVO9XqI5x4KRIe/TDJGmO3oZ4bdeU2mtIxTXIHG3kKFCQzKPqteffctEusvdyqkpCqPsLUny8loOQKX8XjY6K6a7fMsYUsKkJ1Le3Zuif0AhzNvDCX69pz3uPEOf6ZR2pU0B0g3fc3gIwIuY97WiHzHg++pLJ6/yT32Ja9Ub6k72fJDA1HvvAOY0+fXoJdOwkJCfGFF/dXLp2M1/3xxDI05mJeFywE9NYBrb2yRNN9XAdwSJ5mpRnyiyBlMv/1W52yDBCavyMR+vLlyxaXGeVHvDSTdGCY8bCBEz2kbm3WEFxGR/LM3ls6d8WvvT5YJ+RxxEYSN/o0Zi233AK53toni+e2luBBIjUITa+QUIxpeWrz2aAe19PO+XiDHu8G2sErWxwE336USCnOiFIkqeJpBqtfOm0sWnxmQWhucMqTlGYdbus+DBkWWM23JLFuRsOI/VawqRg==
  template:
    metadata:
      creationTimestamp: null
+      labels:
+        app.kubernetes.io/part-of: argocd
      name: argocd-oauth
      namespace: argocd
    type: Opaque
--- a/infrastructure/argocd/argocd-rbac.configmap.yaml
+++ b/infrastructure/argocd/argocd-rbac.configmap.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-rbac-cm
+data:
+  policy.csv: |
+    # use oidc group apps_admin as admin group in argocd
+    g, apps_admin, role:admin
+  policy.default: role:readonly
--- a/infrastructure/argocd/kustomization.yaml
+++ b/infrastructure/argocd/kustomization.yaml
@@ -15,3 +15,4 @@ patches:
  - path: known-hosts.configmap.yaml
  - path: argocd.configmap.yaml
  - path: argocd-oauth.configmap.yaml
+  - path: argocd-rbac.configmap.yaml
--- a/infrastructure/authelia/authelia-oidc.sealedsecret.yaml
+++ b/infrastructure/authelia/authelia-oidc.sealedsecret.yaml