From e9ad3c1d3bca4272a78ad8ed0c102b007543587c Mon Sep 17 00:00:00 2001 From: David Fry Date: Wed, 6 Mar 2024 17:35:56 +0000 Subject: [PATCH] first draft --- mojaloop/iac/roles/argocd/defaults/main.yaml | 2 ++ .../roles/argocd/templates/argo-cm.yaml.j2 | 7 +++++ .../templates/argo-oidc-secrets.yaml.j2 | 26 +++++++++++++++++++ .../argocd/templates/kustomization.yaml.j2 | 1 + 4 files changed, 36 insertions(+) create mode 100644 mojaloop/iac/roles/argocd/templates/argo-oidc-secrets.yaml.j2 diff --git a/mojaloop/iac/roles/argocd/defaults/main.yaml b/mojaloop/iac/roles/argocd/defaults/main.yaml index 3ab93382..08f934ab 100644 --- a/mojaloop/iac/roles/argocd/defaults/main.yaml +++ b/mojaloop/iac/roles/argocd/defaults/main.yaml @@ -18,3 +18,5 @@ kubectl_version: "1.24.6" coredns_version: "1.28.2" coredns_max_scale: 10 install_nodelocaldns: false +gitlab_oidc_issuer: http://issuer-fqdn/oidc +argocd_fqdn: argocd.example.com diff --git a/mojaloop/iac/roles/argocd/templates/argo-cm.yaml.j2 b/mojaloop/iac/roles/argocd/templates/argo-cm.yaml.j2 index 65e6eb7f..83ed49fc 100644 --- a/mojaloop/iac/roles/argocd/templates/argo-cm.yaml.j2 +++ b/mojaloop/iac/roles/argocd/templates/argo-cm.yaml.j2 @@ -1,5 +1,12 @@ apiVersion: v1 data: + url: https://{{ argocd_fqdn }} + oidc.config: | + name: Gitlab + issuer: {{ gitlab_oidc_issuer }} + clientID: $argo-oidc.clientid + clientSecret: $argo-oidc.clientsecret + requestedScopes: ["read_api"] application.instanceLabelKey: argocd.argoproj.io/instance kustomize.buildOptions: --enable-helm ui.bannercontent: "argocd application install" diff --git a/mojaloop/iac/roles/argocd/templates/argo-oidc-secrets.yaml.j2 b/mojaloop/iac/roles/argocd/templates/argo-oidc-secrets.yaml.j2 new file mode 100644 index 00000000..87383975 --- /dev/null +++ b/mojaloop/iac/roles/argocd/templates/argo-oidc-secrets.yaml.j2 @@ -0,0 +1,26 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: argo-oidc +spec: + refreshInterval: 1h + + secretStoreRef: + kind: ClusterSecretStore + name: tenant-vault-secret-store + + target: + name: argo-oidc + creationPolicy: Owner + template: + labels: + app.kubernetes.io/part-of: argocd + data: + - secretKey: clientid + remoteRef: + key: {{ cluster_name }}/argocd_oauth_client_id + property: value + - secretKey: clientsecret + remoteRef: + key: {{ cluster_name }}/argocd_oauth_client_secret + property: value \ No newline at end of file diff --git a/mojaloop/iac/roles/argocd/templates/kustomization.yaml.j2 b/mojaloop/iac/roles/argocd/templates/kustomization.yaml.j2 index 53b82b47..7907507c 100644 --- a/mojaloop/iac/roles/argocd/templates/kustomization.yaml.j2 +++ b/mojaloop/iac/roles/argocd/templates/kustomization.yaml.j2 @@ -11,6 +11,7 @@ resources: - argo-gitlab.yaml - vault-env.yaml - netclient.yaml +- argo-oidc-secrets.yaml patches: - path: argo-cm.yaml