website/docs: Update ArgoCD integration docs. (#9684)

Co-authored-by: Dylan Kauling <dkauling@armstrongfluidtechnology.com>
goauthentik · May 30, 2024 · 040dcaa · 040dcaa
1 parent 66a1675
commit 040dcaa
Showing 1 changed file with 79 additions and 5 deletions.
diff --git a/website/integrations/services/argocd/index.md b/website/integrations/services/argocd/index.md
@@ -33,7 +33,7 @@ In authentik, create an _OAuth2/OpenID Provider_ (under _Applications/Providers_
 -   Redirect URIs:
 
 ```
-http://argocd.company/api/dex/callback
+https://argocd.company/api/dex/callback
 http://localhost:8085/auth/callback
 ```
 
@@ -46,15 +46,78 @@ Create a new _Application_ (under _Applications/Applications_) with these settin
 -   Name: ArgoCD
 -   Provider: ArgoCD
 -   Slug: argocd
--   Launch URL: http://argocd.company/auth/login
+-   Launch URL: https://argocd.company/auth/login
 
-### Step 3 - ArgoCD Admin Group creation
+### Step 3 - ArgoCD Group creation
 
 Create a new _Group_ (under _Directory/Groups_) that'll be used as the admin group for ArgoCD (if you already have an "admin" group, you can skip this part!)
 
 -   Name: ArgoCD Admins
 -   Members: Add your user and/or any user that should be an ArgoCD admin
 
+You can create another group for read-only access to ArgoCD as well if desired:
+
+-   Name: ArgoCD Viewers
+-   Members: Any user that should have ArgoCD read-only access
+
+## Terraform provider
+
+```hcl
+data "authentik_flow" "default-provider-authorization-implicit-consent" {
+  slug = "default-provider-authorization-implicit-consent"
+}
+
+data "authentik_scope_mapping" "scope-email" {
+  name = "authentik default OAuth Mapping: OpenID 'email'"
+}
+
+data "authentik_scope_mapping" "scope-profile" {
+  name = "authentik default OAuth Mapping: OpenID 'profile'"
+}
+
+data "authentik_scope_mapping" "scope-openid" {
+  name = "authentik default OAuth Mapping: OpenID 'openid'"
+}
+
+resource "authentik_provider_oauth2" "argocd" {
+  name          = "ArgoCD"
+  #  Required. You can use the output of:
+  #     $ openssl rand -hex 16
+  client_id     = "my_client_id"
+
+  # Optional: will be generated if not provided
+  # client_secret = "my_client_secret"
+
+  authorization_flow  = data.authentik_flow.default-provider-authorization-implicit-consent.id
+
+  redirect_uris = [
+    "https://argocd.company/api/dex/callback",
+    "http://localhost:8085/auth/callback"
+  ]
+
+  property_mappings = [
+    data.authentik_scope_mapping.scope-email.id,
+    data.authentik_scope_mapping.scope-profile.id,
+    data.authentik_scope_mapping.scope-openid.id,
+  ]
+}
+
+resource "authentik_application" "argocd" {
+  name              = "ArgoCD"
+  slug              = "argocd"
+  protocol_provider = authentik_provider_oauth2.argocd.id
+}
+
+resource "authentik_group" "argocd_admins" {
+  name    = "ArgoCD Admins"
+}
+
+
+resource "authentik_group" "argocd_viewers" {
+  name    = "ArgoCD Viewers"
+}
+```
+
 ## ArgoCD Configuration
 
 :::note
@@ -69,16 +132,25 @@ In the `argocd-secret` Secret, add the following value to the `data` field:
 dex.authentik.clientSecret: <base 64 encoded value of the Client Secret from the Provider above>
 ```
 
+If using Helm, the above can be added to `configs.secret.extra` in your ArgoCD Helm `values.yaml` file as shown below, securely substituting the string however you see fit:
+
+```yaml
+configs:
+    secret:
+        extra:
+            dex.authentik.clientSecret: "${argocd_authentik_client_secret}"
+```
+
 ### Step 2 - Configure ArgoCD to use authentik as OIDC backend
 
 In the `argocd-cm` ConfigMap, add the following to the data field :
 
 ```yaml
-url: http://argocd.company
+url: https://argocd.company
 dex.config: |
     connectors:
     - config:
-        issuer: http://authentik.company/application/o/<application slug defined in step 2>/
+        issuer: https://authentik.company/application/o/<application slug defined in step 2>/
         clientID: <client ID from the Provider above>
         clientSecret: $dex.authentik.clientSecret
         insecureEnableGroups: true
@@ -98,8 +170,10 @@ In the `argocd-rbac-cm` ConfigMap, add the following to the data field (or creat
 ```yaml
 policy.csv: |
     g, ArgoCD Admins, role:admin
+    g, ArgoCD Viewers, role:readonly
 ```
 
 If you already had an "admin" group and thus didn't create the `ArgoCD Admins` one, just replace `ArgoCD Admins` with your existing group name.
+If you did not opt to create a read-only group, or chose to use one with a different name in authentik, rename or remove here accordingly.
 
 Apply all the modified manifests, and you should be able to login to ArgoCD both through the UI and the CLI.