Skip to content

ArgoCD Profile

The argocd profile produces keys for the argocd-secret Kubernetes Secret, enabling ArgoCD's Dex OIDC connector to authenticate users against Authentik.

Two-Part Configuration Required

The ArgoCD OIDC integration requires configuration in two places:

  1. argocd-secret -- managed by this operator via the OIDCClient CR
  2. argocd-cm ConfigMap (dex.config key) -- managed separately via ArgoCD Helm values

The operator only manages the secret. You must configure the Dex connector in your ArgoCD Helm values yourself.

Key Mapping

Secret Key Source Value Purpose
dex.authentik.clientSecret clientSecret Referenced by Dex config as $dex.authentik.clientSecret
clientId clientId Convenience key for use in Dex config
issuerUrl issuerUrl Convenience key for use in Dex config
caData signing certificate (base64 PEM) Base64-encoded PEM of the signing certificate. Present only when the Authentik provider has a signing key configured.
caFingerprint signing certificate SHA256 fingerprint SHA256 fingerprint of the signing certificate. Present only when the Authentik provider has a signing key configured.

Why So Few Keys?

Unlike other profiles, the ArgoCD profile produces only three keys in the common case. ArgoCD's Dex connector reads its full configuration from the dex.config key in the argocd-cm ConfigMap. The secret only needs to hold the clientSecret for Dex's variable substitution ($dex.authentik.clientSecret), plus convenience keys for reference.

Signing Certificate Keys

caData and caFingerprint appear automatically when the Authentik OAuth2 provider has a signing_key configured (as shown in the blueprint below). These values are useful for Dex SAML verification — caData can be passed directly to Dex's caData field and caFingerprint to its caFingerprint field in the OIDC connector config.

Example CR

YAML
apiVersion: auth.kettleofketchup/v1alpha1
kind: OIDCClient
metadata:
  name: argocd-oidc
spec:
  authentik:
    applicationSlug: argocd
  target:
    namespace: argocd
    secretName: argocd-secret
  secretProfile: argocd

Step-by-Step Setup

Step 1: Create the OIDCClient CR

Deploy the CR shown above. The operator will populate argocd-secret with the three keys from the mapping table. This CR is typically placed in your ArgoCD Helm chart templates.

Target the Existing Secret

The CR targets argocd-secret in the argocd namespace. This is the same secret ArgoCD already uses for other configuration. The operator uses server-side apply to merge its keys into this secret without disturbing existing keys managed by ArgoCD.

No ignoreDifferences Required

The operator uses server-side apply with field manager authentik-operator and adds the argocd.argoproj.io/compare-options: IgnoreExtraneous annotation automatically. You do not need to add ignoreDifferences to your ArgoCD Application spec for operator-managed keys. See ArgoCD Integration for details.

Step 2: Configure ArgoCD Helm Values

Add the Dex OIDC connector configuration to your ArgoCD Helm values. This goes into the argocd-cm ConfigMap via the server.config section:

argocd-values.yaml
server:
  config:
    dex.config: |
      connectors:
        - type: oidc
          id: authentik
          name: Authentik
          config:
            issuer: https://auth.example.com/application/o/argocd/
            clientID: <your-client-id>
            clientSecret: $dex.authentik.clientSecret
            insecureEnableGroups: true
            scopes:
              - openid
              - profile
              - email

Key points about this configuration:

  • clientSecret: $dex.authentik.clientSecret -- Dex substitutes this variable at runtime by looking up the key dex.authentik.clientSecret in argocd-secret. This is the value the operator writes.
  • issuer -- Set this to your Authentik instance's issuer URL for the ArgoCD application ({authentikURL}/application/o/argocd/).
  • clientID -- The client ID from Authentik. You can find this in the Authentik admin UI or retrieve it from the clientId key the operator writes to argocd-secret.

Static Values in Dex Config

The issuer and clientID values in dex.config are static strings in the ConfigMap, not variable references. While the operator writes clientId and issuerUrl to the secret for convenience, Dex only supports $secret-key substitution for the clientSecret field. You must set the issuer and client ID in your Helm values directly.

Step 3: Configure RBAC (Optional)

Map Authentik groups to ArgoCD roles in your Helm values:

argocd-values.yaml
server:
  rbacConfig:
    policy.csv: |
      g, authentik-admins, role:admin
      g, authentik-readonly, role:readonly
    policy.default: role:readonly
    scopes: "[groups, email]"

Authentik Blueprint

Create the ArgoCD OIDC provider in Authentik:

argocd-blueprint.yaml
version: 1
metadata:
  name: ArgoCD OIDC Provider
entries:
  - model: authentik_providers_oauth2.oauth2provider
    id: provider-argocd
    attrs:
      name: argocd-oidc
      authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-flow]]
      client_type: confidential
      redirect_uris: "https://argocd.example.com/api/dex/callback"
      signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
      property_mappings:
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
        - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]

  - model: authentik_core.application
    attrs:
      name: ArgoCD
      slug: argocd
      provider: !KeyOf provider-argocd
      meta_launch_url: "https://argocd.example.com"

Redirect URI

ArgoCD's Dex callback URL follows the pattern https://<argocd-host>/api/dex/callback. Make sure this matches the redirect_uris in your Authentik blueprint.