From 10a4c828340f0a3123397cfb783a1244a8befcc4 Mon Sep 17 00:00:00 2001
From: Danijel Simeunovic <danijel.simeunovic@fortedigital.com>
Date: Fri, 24 Apr 2026 22:06:05 +0200
Subject: [PATCH] argcd tls

---
 bootstrap.sh                                  |  4 +-
 .../argocd-oidc-secret-sync.yaml              | 83 +++++++++++++++++++
 infra/values/base/argocd-values.yaml          | 22 ++++-
 infra/values/base/keycloak-values.yaml        | 33 ++++++++
 infra/values/upc-dev/argocd-values.yaml       |  2 +-
 5 files changed, 139 insertions(+), 5 deletions(-)
 create mode 100644 cluster-resources/argocd-oidc-secret-sync.yaml

diff --git a/bootstrap.sh b/bootstrap.sh
index 6c1170a..0c02592 100644
--- a/bootstrap.sh
+++ b/bootstrap.sh
@@ -27,8 +27,8 @@ Bootstrap()
 Gitea()
 {
     echo "Installing secret..."
-    kubectl apply -f private/gitea-repo-main.yaml
-    kubectl apply -f private/main.key
+    kubectl apply -f "private/${CLUSTER}/gitea-repo-main.yaml"
+    kubectl apply -f "private/${CLUSTER}/main.key"
 }
 
 ############################################################
diff --git a/cluster-resources/argocd-oidc-secret-sync.yaml b/cluster-resources/argocd-oidc-secret-sync.yaml
new file mode 100644
index 0000000..b61da8d
--- /dev/null
+++ b/cluster-resources/argocd-oidc-secret-sync.yaml
@@ -0,0 +1,83 @@
+# CronJob: syncs OIDC client secret from registrar-managed
+# argocd-oidc-credentials into argocd-secret (oidc.clientSecret key).
+# Runs every 2 min. No-ops if source secret doesn't exist yet
+# (safe for fresh deploys before Keycloak is up).
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argocd-oidc-sync
+  namespace: argocd
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: argocd-oidc-sync
+  namespace: argocd
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  resourceNames: ["argocd-oidc-credentials", "argocd-secret"]
+  verbs: ["get", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: argocd-oidc-sync
+  namespace: argocd
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argocd-oidc-sync
+subjects:
+- kind: ServiceAccount
+  name: argocd-oidc-sync
+  namespace: argocd
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: argocd-oidc-sync
+  namespace: argocd
+spec:
+  schedule: "*/2 * * * *"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      backoffLimit: 1
+      template:
+        spec:
+          serviceAccountName: argocd-oidc-sync
+          restartPolicy: Never
+          containers:
+          - name: sync
+            image: bitnami/kubectl:latest
+            command: ["/bin/sh", "-c"]
+            args:
+            - |
+              set -e
+
+              # Exit gracefully if source secret doesn't exist yet
+              if ! kubectl get secret argocd-oidc-credentials -n argocd >/dev/null 2>&1; then
+                echo "argocd-oidc-credentials not found — skipping (Keycloak not ready yet)"
+                exit 0
+              fi
+
+              # Read current OIDC client secret
+              NEW_SECRET=$(kubectl get secret argocd-oidc-credentials -n argocd \
+                -o jsonpath='{.data.client-secret}' | base64 -d)
+
+              # Read current value in argocd-secret (if any)
+              CURRENT=$(kubectl get secret argocd-secret -n argocd \
+                -o jsonpath='{.data.oidc\.clientSecret}' 2>/dev/null | base64 -d || echo "")
+
+              # Only patch if changed
+              if [ "$NEW_SECRET" = "$CURRENT" ]; then
+                echo "oidc.clientSecret already up to date"
+                exit 0
+              fi
+
+              kubectl patch secret argocd-secret -n argocd --type merge \
+                -p "{\"stringData\":{\"oidc.clientSecret\":\"${NEW_SECRET}\"}}"
+              echo "Patched argocd-secret with oidc.clientSecret"
diff --git a/infra/values/base/argocd-values.yaml b/infra/values/base/argocd-values.yaml
index 4bfa6df..fad535b 100644
--- a/infra/values/base/argocd-values.yaml
+++ b/infra/values/base/argocd-values.yaml
@@ -2,6 +2,8 @@ configs:
   secret:
     createSecret: true
     argocdServerAdminPassword: "$2b$12$Tmb1jH7ADvwWoUoNPXXsfOf6JqEluqhq8mL06a8DGT2AP1GzbNsCm"
+    # oidc.clientSecret managed by argocd-oidc-sync CronJob
+    # (reads from argocd-oidc-credentials, patches argocd-secret)
   ssh:
     knownHosts: |
       [git.forteapps.net]:2222 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTwi40de8yTGUuRT0i/XGicQ672BLhYR6D/lDquJrp/tdrWoZhVVPy0wxSkWsq1V92iiAUuQnXagOGsLBGZT9uDLWKvEmNDnCfjzTMq3J1iA3vk2rQ8WBlCzhvmeCV/r0ufl6vsgfwxSRomLZeqa2UkLHx69gy2Njb1S2/aZK1Q53f466hCUfDULZrTn2Nn5Sj8cEbJ8EyvVN2YG9HYBxQdzKRPZEmS1vyzmn8YrYIkZseIRQElabzWGh86owuaaqnwJhTJj1j2sEUeIet04sGKJcnxx2UL4H90N66LKMldmMiuli+ve/CjJmMwDl0zGkjIniT3XR8CyEXYHli7B1hR8Z+dbK6DBgjz+28lFgMIRY70KkZJNsJcBNZLZ5fHwCI13a9U3Uhg3Pu/6s0zlosM4CrAQNQCRe95ZPtCpdFhlGrOl4m1rdSK2meL6rND0TBBuZbaFF6Py7TawLCAiO2KRaVqhu9OFVjwJ/nifgLzFGwWj+WcYmpuR+DwozrF/Hl7QYsz1x4GO1SONY07KbIFkUCHOMAh0AELY5YE4eGI4mtG6SecdPaAdLREGZYK4IcyP5i1QW9g0wmfRSsV9jy+r0ivBxixxh4yJiNpkg6NXak40gQtGIme9EJ+DxrRLruNsfDILWcdSuH/wvuorv56NpQFGB0FzB6LXMloSYptQ==
@@ -9,6 +11,19 @@ configs:
     application.resourceTrackingMethod: annotation
     timeout.reconciliation: 60s
     admin.enabled: "true"
+    url: https://argocd.forteapps.net
+    oidc.config: |
+      name: Forte SSO
+      issuer: https://id.forteapps.net/realms/forte
+      clientID: argocd
+      clientSecret: $oidc.clientSecret
+      requestedScopes: ["email", "profile", "groups"]
+  rbacConfig:
+    policy.csv: |
+      g, ArgoCD Admins, role:admin
+      g, ArgoCD Viewers, role:readonly
+    policy.default: role:readonly
+    scopes: '[groups]'
   params:
     "server.insecure": true
 repoServer:
@@ -19,8 +34,11 @@ repoServer:
     value: "false"
 server:
   ingress:
-    enabled: false
-    ingressClassName: nginx
+    enabled: true
+    ingressClassName: traefik
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+    tls: true
   extraArgs:
   - --insecure
 
diff --git a/infra/values/base/keycloak-values.yaml b/infra/values/base/keycloak-values.yaml
index 6fad310..d890bc8 100644
--- a/infra/values/base/keycloak-values.yaml
+++ b/infra/values/base/keycloak-values.yaml
@@ -132,6 +132,39 @@ keycloakConfigCli:
                 }
               }
             ]
+          },
+          {
+            "clientId": "argocd",
+            "name": "ArgoCD",
+            "enabled": true,
+            "protocol": "openid-connect",
+            "clientAuthenticatorType": "client-secret",
+            "standardFlowEnabled": true,
+            "directAccessGrantsEnabled": false,
+            "publicClient": false,
+            "redirectUris": ["https://argocd.forteapps.net/auth/callback"],
+            "webOrigins": ["https://argocd.forteapps.net"],
+            "attributes": {
+              "k8s.secret.sync": "true",
+              "k8s.secret.namespace": "argocd",
+              "k8s.secret.name": "argocd-oidc-credentials",
+              "k8s.secret.client-id-key": "client-id",
+              "k8s.secret.client-secret-key": "client-secret"
+            },
+            "protocolMappers": [
+              {
+                "name": "groups",
+                "protocol": "openid-connect",
+                "protocolMapper": "oidc-group-membership-mapper",
+                "config": {
+                  "claim.name": "groups",
+                  "full.path": "false",
+                  "id.token.claim": "true",
+                  "access.token.claim": "true",
+                  "userinfo.token.claim": "true"
+                }
+              }
+            ]
           }
         ]
       }
diff --git a/infra/values/upc-dev/argocd-values.yaml b/infra/values/upc-dev/argocd-values.yaml
index 6ed9cea..a394511 100644
--- a/infra/values/upc-dev/argocd-values.yaml
+++ b/infra/values/upc-dev/argocd-values.yaml
@@ -1,5 +1,5 @@
 global:
-  domain: argocd.127.0.0.1.nip.io
+  domain: argocd.forteapps.net
 notifications:
   context:
     clusterName: "dev-fd-eu-no-svg1"