feat(argocd): Add an extra layer of security on ArgoCD interface

2025-11-01 18:37:52 +00:00 · 2023-10-05 18:52:53 +02:00
parent de0bc00ca7
commit a23fe826e1
4 changed files with 34 additions and 0 deletions
--- a/infra/argocd/auth-values.yaml
+++ b/infra/argocd/auth-values.yaml
@@ -0,0 +1,7 @@
+name: auth
+namespace: argocd
+authOnly: true
+auth:
+  cookieDomain: stonegarden.dev
+  whitelist:
+    - veghag@gmail.com
--- a/infra/argocd/ingress.yaml
+++ b/infra/argocd/ingress.yaml
@@ -10,6 +10,8 @@ spec:
    - kind: Rule
      match: Host(`argocd.stonegarden.dev`)
      priority: 10
+      middlewares:
+        - name: traefik-forward-auth
      services:
        - name: argocd-server
          port: 80
--- a/infra/argocd/kustomization.yaml
+++ b/infra/argocd/kustomization.yaml
@@ -2,8 +2,17 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: argocd

+helmGlobals:
+  chartHome: ../../charts
+
+helmCharts:
+  - name: application
+    releaseName: auth
+    valuesFile: auth-values.yaml
+
 resources:
  - namespace.yaml
+  - traefik-forward-auth-secrets.yaml
  - https://raw.githubusercontent.com/argoproj/argo-cd/v2.8.2/manifests/install.yaml
  - ingress.yaml
  - argocd-cm-cmp-kustomize-build-with-helm.yaml
--- a/infra/argocd/traefik-forward-auth-secrets.yaml
+++ b/infra/argocd/traefik-forward-auth-secrets.yaml
@@ -0,0 +1,16 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: traefik-forward-auth-secrets
+  namespace: argocd
+spec:
+  template:
+    metadata:
+      name: traefik-forward-auth-secrets
+      namespace: argocd
+    type: Opaque
+  encryptedData:
+    google-client-id: AgBFA+N1acn6eDPPEe25xCM1rWcpPGCFxs2shiOFks/tiBcwmO7B+rvUK8soVcTpPVFs4f58ImezPKZ3QUdeJHM2+ee8GYj5d7t1HoFyGbsWSLCG0oczkCB6W+m6W7aGJ/0HnPwGhBK5B2jktfqbMWPfk5wAF/jCzkkUpkENDTQWwfUOXSemdLh5j7J/KWpFQMHWCYwhM4jMzLbRp0emzxEUjmnajbbueURr/N3DUIE3wuXfmqz5XfLbAoY+f0H3ZMHoMSoHOvTZW7vCJo1pOuBLwsRERK2IVcYEENEHSvDVsr4wfSN2evhAxrSOdBJOJjHGUlnIXkex48sejCCYZo0x+qNkN6X/dtHscB/Uz2zNv7b/Jw6j9HoEWsYpeeDaeQP6rhbVddIlc55Bia/ocC5inMVKb1VdCszPhn6bMU+BAxJiwakRaW5i/rN3K5L0TE2t+gWET01FEDPzXu1SQdjmXU0vGQnKiS1hHi2vd/LlpPi3Ergz1AppS/TFwZkbM+djyxvwsLGx/kPgOLbR/lLpcAMTf2wj1ZZlgTouoX6WxIAGBsvFCLu6GHvNlFC7zaE93E7L4umUvPd+yWqwhi/MXIgtK48bzZF4wsRW3sSwiED3ZsboHMpMjGGZEIOqMJ1ULMNp89BqbIcWCJXDTiOvGT/BMfZ5m7t+iMVJWvYyv7/34KQW92/bxNxhaHe1FjbcClyrqJu8dUv3YGNOT01/vodPfFUO4PnzFwNy7qMTuQzc9HPaKxeERJNOpJHR2dixJJo8fRX7a1lX7AG2Wmogwv1HnvqHxL0=
+    google-client-secret: AgAgXtmAlvKJjxhE+AnSz3VCmUP3BPkDPFaxzBga5taunyjnFeRj1XZU88WXpeOAVlMbCg2V5V2XpHNU1YBbBnOZcr67yPiNL3HUAF9/UPnHR3PLqlDim/rvvCWLdrXhzCzFGoHzsLCVSgf4ms9LM9ALNe1GbXxEUjY3Ku4CIJtN07Ijs3ZdjkbPw13qV/oEHmmVGXeIWsxJN8JCH8PvIDkQTIk+Zh7AVy95qRiou1Fp7js/pgVUgWkQMUrg7osP6HkWo1BVbassGeVgmGTBqzS7lxdmqqos1HRhG7+SuHoTIDD88IGoxwKfm5kIPDfZolpcQqkYsRkdSAjJnrfobazUqwK5irf+x8UapqNQzu+d1zbqUALRBLEO+jD61ojzE7yHdECTiPDdJuAwUb7sZBRh7xus/rJ5jiRiwrwal6z/tC5NzQaLsd7gb4OKh3rqXBiYcXar77d5zN8VFW/k/Qk+NmO8uS/M2vDur8m5dTiRYb8XhOXNHsi3Km0sM9rdoV0rccRI3waytNgdetgTW8tye6arldHy97agqyUx+zS1S58kobRLcNfkZh+gclvqC7viuf4xPuoL7gHCgfGNKHRfo+aI+pkubkoUP8qm5KmHqkGU2yWtGhWfHBcOspNOWbrqf/tEdk2poUgyFFq8Pl0NSs0b5xFm3TgmZi8Oqq/p8nvHPXuvoQdmblNLVMhzIfTUFv1H9FIo6ItagJq9cuvcMaCGKGycJ7RVS06E3mwMsnCJKw==
+    secret: AgA/G8IiXdqwe4a0Ls7JEMS9xqxgMu+KkJV8dTxoUKCDZGNSfYbBEudjWZym1onfj2dcOTR9fK2BBjJFI/dwwqLZlSxKG3xLBCpfbJUza7Iw9vScbSdJkLTKTHlw4VbDDmoD1D7cbG34Hb+JE0q1dVO6GXbwzwv05bX9Wc9cVRPG6Ol2R/IRV1k+wuDzLhmYSP/4EjqMCTRzWC4+371P4ALDhqO0m3TWAPqRQ1Jhclh9HDSuDgHSDFo2Ty06cHukjkX65wYPkonyJzi9xygfZ1aLoZ7PQImEJhd6CtkWsrmK3h/MYf+O71ng4KmPHnQZAFD1uTMYnfJ5A2lH9Uc9/tZiUtWQX1Zjim6Jfhac1gwh38Vrd7m72ro8VG+HzDYV2OJ36vxy1Q45yQQQNemQZUN0QX8gFJ1IoqRaH1kDdQBkrWoGO3IEL4dMvwxQ3a4QfW9i0yQbM1cllCp7KV3IQWAmH0dTFnrc6FVo8Fdv4O8aL+bE71aG4bwwLdff2rvqRKAsmgomOyyE2koAtSaewBCTob+QZ2mxoZEE2hnXEMjJgf8sQu4IYtn+XuOzhvzV81DDBk4zuLhiw1PkXyUU0A8VpiPMzaq9FQWWscgzgcyLK2Qu4DTIsntZ/qCN9A7Tn8Trw1HBR8dQAw5y3OEEh8uaE03MFQ0DuRABLB+JiFqQXNj604Uprk2eIZyfURlYUjVNQCta/Gkez+UDqStIfxB8i1OgIfbz
+