Funk-lab/k8s/argocd-bootstrap/values.yaml
ALI YESILKAYA a336eda7e9
feat(argocd): SSO OIDC Authentik sur le domaine (argocd.funklab.online) (#92)
- values : configs.cm (url + oidc.config vers auth.funklab.online, secret
  référencé $argocd-oidc:clientSecret) + rbac lab-admins→admin
- IngressRoute websecure + Let's Encrypt (route argocd.lab.local conservée)

Appliqué hors ArgoCD (bootstrap helm) :
  helm upgrade argocd argo/argo-cd -n argocd --version 9.5.14 \
    -f k8s/argocd-bootstrap/values.yaml
Secret k8s argocd-oidc déjà créé (clé clientSecret, label part-of=argocd).

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
2026-07-07 17:21:19 +02:00

72 lines
1.5 KiB
YAML

global:
domain: argocd.lab.local
configs:
params:
server.insecure: true # TLS géré par Traefik
cm:
# URL publique (construit le redirect_uri OIDC : <url>/auth/callback)
url: https://argocd.funklab.online
# SSO OIDC → Authentik (app « argocd »). L'issuer est joint server-side par
# argocd-server via hairpin. clientSecret référencé depuis le secret dédié
# « argocd-oidc » (label part-of=argocd, créé hors git) — évite de toucher
# argocd-secret géré par helm. Voir admin/k8s/public-domain.md.
oidc.config: |
name: Authentik
issuer: https://auth.funklab.online/application/o/argocd/
clientID: argocd
clientSecret: $argocd-oidc:clientSecret
requestedScopes: ["openid", "profile", "email", "groups"]
rbac:
scopes: "[groups]"
# Membres du groupe Authentik lab-admins → admin ArgoCD
policy.csv: |
g, lab-admins, role:admin
server:
ingress:
enabled: true
ingressClassName: traefik
hostname: argocd.lab.local
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
memory: 256Mi
repoServer:
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
memory: 256Mi
applicationSet:
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
memory: 128Mi
notifications:
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
memory: 128Mi
redis:
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
memory: 128Mi
dex:
enabled: false