prod argocd tailscale oidc

cedi-dev · Feb 12, 2025 · 88b141d · 88b141d
1 parent 4185997
commit 88b141d
Show file tree

Hide file tree

Showing 6 changed files with 38 additions and 65 deletions.
diff --git a/kustomize/bases/argocd/helm-values.yaml b/kustomize/bases/argocd/helm-values.yaml
@@ -190,14 +190,20 @@ configs:
 
     dex.config: |
       connectors:
-        - type: github
-          id: github
-          name: GitHub
+        - type: oidc
+          id: oidc
+          name: Tailscale
           config:
-            clientID: $dex.oauth.github.clientID
-            clientSecret: $dex.oauth.github.clientSecret
-            orgs:
-              - name: cedi-dev
+            issuer: https://idp.tailc18b.ts.net
+            clientID: foo
+            clientSecret: bar
+            redirectURI: https://argocd.tailc18b.ts.net/api/dex/callback
+            scopes:
+              - openid
+            getUserInfo: true
+            Default: username
+            claimMapping:
+              Default: username
 
     resource.exclusions: |
       - apiGroups:
@@ -214,17 +220,13 @@ configs:
   rbac:
     create: true
     policy.default: role:readonly
+    scopes: "[username,email]"
     policy.csv: |
       p, role:org-admin, *, *, *, allow
       p, role:viewer, *, get, *, allow
 
-      g, cedi-dev:argocd, role:viewer
-      g, cedi-dev:admin, role:org-admin
-
-  secret:
-    extra:
-      dex.oauth.github.clientID: foobar1234
-      dex.oauth.github.clientSecret: fooobar2345
+      g, cedi@github, role:org-admin
+      g, cedi, role:org-admin
 
   repositories:
     bitnami:

diff --git a/kustomize/overlays/cedi-dev/argocd/oauth-credentials.secret.yaml b/kustomize/overlays/cedi-dev/argocd/oauth-credentials.secret.yaml
diff --git a/kustomize/overlays/cedi-dev/argocd/secret-generator.yaml b/kustomize/overlays/cedi-dev/argocd/secret-generator.yaml
@@ -3,6 +3,5 @@ kind: ksops
 metadata:
   name: argocd-secrets
 files:
-  - oauth-credentials.secret.yaml
   - argocd-redis.secret.yaml
   - helm.secret.yaml
diff --git a/kustomize/overlays/cedi-dev/tailscale/dns-config.yaml b/kustomize/overlays/cedi-dev/tailscale/dns-config.yaml
@@ -0,0 +1,9 @@
+apiVersion: tailscale.com/v1alpha1
+kind: DNSConfig
+metadata:
+  name: ts-dns
+spec:
+  nameserver:
+    image:
+      repo: tailscale/k8s-nameserver
+      tag: unstable
diff --git a/kustomize/overlays/cedi-dev/tailscale/kustomization.yaml b/kustomize/overlays/cedi-dev/tailscale/kustomization.yaml
@@ -2,8 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: tailscale
 
-bases:
+resources:
   - ../../../bases/tailscale
+  - ./dns-config.yaml
+  - ./ts-egress-idp.yaml
 
 generators:
   - ./secret-generator.yaml
diff --git a/kustomize/overlays/cedi-dev/tailscale/ts-egress-idp.yaml b/kustomize/overlays/cedi-dev/tailscale/ts-egress-idp.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    tailscale.com/tailnet-fqdn: idp.tailc18b.ts.net
+    tailscale.com/tags: tag:core-services
+  name: idp-egress
+spec:
+  externalName: placeholder # any value - will be overwritten by operator
+  type: ExternalName