mirror of
https://github.com/Alkatrazz24/Funk-lab.git
synced 2026-07-08 10:54:41 +02:00
feat(argocd): SSO OIDC Authentik sur le domaine (argocd.funklab.online) (#92)
- values : configs.cm (url + oidc.config vers auth.funklab.online, secret
référencé $argocd-oidc:clientSecret) + rbac lab-admins→admin
- IngressRoute websecure + Let's Encrypt (route argocd.lab.local conservée)
Appliqué hors ArgoCD (bootstrap helm) :
helm upgrade argocd argo/argo-cd -n argocd --version 9.5.14 \
-f k8s/argocd-bootstrap/values.yaml
Secret k8s argocd-oidc déjà créé (clé clientSecret, label part-of=argocd).
Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
parent
5e70e72719
commit
a336eda7e9
2 changed files with 38 additions and 0 deletions
20
k8s/argocd-bootstrap/ingressroute-public.yaml
Normal file
20
k8s/argocd-bootstrap/ingressroute-public.yaml
Normal file
|
|
@ -0,0 +1,20 @@
|
|||
# Accès public HTTPS — argocd.funklab.online (cert Let's Encrypt auto).
|
||||
# ArgoCD n'est pas auto-synchronisé : appliquer à la main
|
||||
# kubectl apply -f k8s/argocd-bootstrap/ingressroute-public.yaml
|
||||
# Route interne argocd.lab.local conservée (Ingress du chart).
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
name: argocd-public
|
||||
namespace: argocd
|
||||
spec:
|
||||
entryPoints:
|
||||
- websecure
|
||||
routes:
|
||||
- match: Host(`argocd.funklab.online`)
|
||||
kind: Rule
|
||||
services:
|
||||
- name: argocd-server
|
||||
port: 80
|
||||
tls:
|
||||
certResolver: letsencrypt
|
||||
|
|
@ -4,6 +4,24 @@ global:
|
|||
configs:
|
||||
params:
|
||||
server.insecure: true # TLS géré par Traefik
|
||||
cm:
|
||||
# URL publique (construit le redirect_uri OIDC : <url>/auth/callback)
|
||||
url: https://argocd.funklab.online
|
||||
# SSO OIDC → Authentik (app « argocd »). L'issuer est joint server-side par
|
||||
# argocd-server via hairpin. clientSecret référencé depuis le secret dédié
|
||||
# « argocd-oidc » (label part-of=argocd, créé hors git) — évite de toucher
|
||||
# argocd-secret géré par helm. Voir admin/k8s/public-domain.md.
|
||||
oidc.config: |
|
||||
name: Authentik
|
||||
issuer: https://auth.funklab.online/application/o/argocd/
|
||||
clientID: argocd
|
||||
clientSecret: $argocd-oidc:clientSecret
|
||||
requestedScopes: ["openid", "profile", "email", "groups"]
|
||||
rbac:
|
||||
scopes: "[groups]"
|
||||
# Membres du groupe Authentik lab-admins → admin ArgoCD
|
||||
policy.csv: |
|
||||
g, lab-admins, role:admin
|
||||
|
||||
server:
|
||||
ingress:
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue