feat: add argo workflows

k8s/argo-apps/argo-workflows.yaml

@@ -0,0 +1,48 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argo-workflows
+  namespace: argocd
+spec:
+  destination:
+    name: ''
+    namespace: 'argo-workflows'
+    server: "https://kubernetes.default.svc"
+  project: management
+  syncPolicy:
+    automated: { }
+  sources:
+    - chart: argo-workflows
+      repoURL: https://argoproj.github.io/argo-helm
+      targetRevision: 0.40.*
+      helm:
+        valuesObject:
+          controller:
+            singleNamespace: true
+            workflowNamespaces:
+              - argo-workflows
+          server:
+            authMode: sso
+            sso:
+              enabled: true
+              issuer: https://auth.fukurokuju.dev/application/o/argo-workflows/
+              clientId:
+                name: secrets-argo-server-sso
+                key: client-id
+              clientSecret:
+                name: secrets-argo-server-sso
+                key: client-secret
+              redirectUrl: https://ci.fuku/oauth2/callback
+              scopes:
+                - openid
+                - profile
+                - email
+                - offline_access
+              rbac:
+                enabled: true
+            ingress:
+              enabled: true
+              ingressClassName: traefik
+              hosts:
+                - ci.fuku
+              tls: []

k8s/services/argo-workflows/admin-service-account.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: admin-user
+  namespace: argo-workflows
+  annotations:
+    workflows.argoproj.io/rbac-rule: "true"
+    workflows.argoproj.io/rbac-rule-precedence: "1"
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: admin-user.service-account-token
+  namespace: argo-workflows
+  annotations:
+    kubernetes.io/service-account.name: admin-user
+type: kubernetes.io/service-account-token

k8s/services/argo-workflows/sealedsecrets.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: secrets-argo-server-sso
+  namespace: argo-workflows
+spec:
+  encryptedData:
+    client-id: AgBLae+Tym75VhhsY4IK4VXlFKaP9ono6wF71N70X6krXVkURqBg3ncm9HvV6iO8ouPB3LWTRmQsNf0W2MbFD+wMPKGQcuUg3gSFOheDXF5rlUn5VuChDgBcbzemBHArlddVOsTFmuqUixhcMKbXenUHjNqW88N8j0GCxajnTpyPsW4nRHdBLzhqmliJWJCAbhtzGXV+0DM3UbW329ktYoDVFMMwM2RMZS39Uk65zoOqLsWR1eU9vI7PNrQpbcK1GJ3ZyqWfwcD5g6Az+/TiOx2PVkUtfeCqry1KNHCzANytpApcOTYUngg0XBW4vi/Gu84aNpAPXP3SBWOSah+4REgOBl/DlojUTIMIz/UJCvZViWbK6szg9+/RJtW2WKZQ2Pob3rfAtuZ0JKOrjG9koklthLWzjthzZVXk7JBy79GU84Gj7cQv52WwHbMPvIaPrzl5wJlMUZLnCQ8jSNvXpAmQdBf4wres6KMUlPGPw1aF75LNvlrju66dv1f7lRC6Uao7L39jvCXx95dznI2fcybZyE/W+aVznnpUNk/dfHKc4IB12g5DCtq8AfiTlZD72Fq+eMOn3xSlJ+pB6FQXRFLrdnc8f25pw7pqbf3zi/p+ylVdpMiLLTaL0M06RJbTVk5BT28HjGVMslBaR+4pJKLFNL2XwRW1VHteAhPtrvfe/zw5/pXSmK78pZ4UqsW9bb7+dUlQ/OSASwe3xZrs0ogB7yidvUjtQlpS/Ocumcq1mm5X/gRvShz1yqcvaDZ01/sR8ZXQtOAAJEvMLLDS2rugzYFp
+    client-secret: AgA8/QhgkPt3QRwa5zDQhlyhnYJurwGd/Uigo5WNIyUAh1vqqfmGlRAyJ9YQRJKPaJmTTU1nsaulOtS8Lafe4pAhXTsGaGsP7r+pntRii1KV79avl6e94zrH8LdhkrWxzaKLh6sW7Lj+Q3Cxj/Anh5jRSyIKGB0lpbR2RDE9XuBGx6r+jKS+8WXCn3Bxh2/ZEOBttAIWT59KxdwhZLeh/N5P809V1h8O7pxBdvvuyvK/nkBxJPWzO85zZnAiszLwraoOoiMZbfo4Z+Uzxf1dlGUxj2ZEoq3gWN9cuWRNoLxMJ1sq26zez99fyPbDD19+y0k6o+dNSQRLfFkhbgLgqCDUvWs3QzoV52oBe3zJ/of37hD03bLl1CUuJQcO8a8hoOsBqe7as+tmJTefKx67jjoUbtGPwoNYwakU2gH74rAlQE7NN/d1LuzjZSnivv27X2pTD169Ts4q/CjBUVVbSrLn/o5icEXu+d1SSFNhiFXI7/lcM/vi7CBVKuxmIsiJ0ka+mpnF6FTgsbcRvNKkFz0qZPGpx0Q7eg7tvvW7wh8aBk8k3Rh+Xp9ZXKGwRUlpBfDCVf2LB0tN5N2ieHgcy41Hxy+v7Ce5+qjTel/NkA2y67M7B5X/ji6+N+1a9wwKwTdQOze60Q/EfK8MPF8X3lpfarGhieWbGQAnHmQW0tVWBIjAnOSYbgrfoeyg2XPYg1vW7YetTfPGdF7QDhmnAEmPeBYbubMDwmXpofrpM1vz87degAL9L6kqyWF+XQph/pVAU5c1cHD30t383j0HTK5uG/dwHbWzt9k9hyz94Un0mXRohz/zAT2NIv1dwM9yv9VC3v89mkcapjlUlxBApPYcow6WWOvvcadyTrEXlVjskQ==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: secrets-argo-server-sso
+      namespace: argo-workflows

k8s/services/argo/project-management.yaml

@@ -16,6 +16,8 @@ spec:
       server: https://kubernetes.default.svc
     - namespace: system-upgrade
       server: https://kubernetes.default.svc
+    - namespace: argo-workflows
+      server: https://kubernetes.default.svc
   clusterResourceWhitelist:
     - group: "*"
       kind: "*"
@@ -27,3 +29,4 @@ spec:
     - https://kubernetes-sigs.github.io/descheduler/
     - https://github.com/rancher/system-upgrade-controller.git
     - https://charts.bitnami.com/bitnami
+    - https://argoproj.github.io/argo-helm

tofu/adguard/main.tf

@@ -90,3 +90,18 @@ resource "adguard_rewrite" "authentik" {
   domain = "auth.fukurokuju.dev"
   answer = "192.168.1.12"
 }
+
+resource "adguard_rewrite" "ci_local_1" {
+  domain = "ci.fuku"
+  answer = "192.168.1.31"
+}
+
+resource "adguard_rewrite" "ci_local_2" {
+  domain = "ci.fuku"
+  answer = "192.168.1.32"
+}
+
+resource "adguard_rewrite" "ci_local_3" {
+  domain = "ci.fuku"
+  answer = "192.168.1.33"
+}

tofu/authentik/.terraform.lock.hcl

@@ -0,0 +1,24 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/goauthentik/authentik" {
+  version     = "2024.2.0"
+  constraints = "2024.2.0"
+  hashes = [
+    "h1:AeyEcplt1WTQijM1d2E1pBPemcL57WC5bZr7y1XNui4=",
+    "zh:03b13879c66d1536f250c91f61ba078cc34af2fec271ea19c838a719dd4f1baa",
+    "zh:1c4d93aa3de72e4b00ac33fc0d4134fc5a641b863e9cd9afdc1105a4024fc8f0",
+    "zh:50d2f5b71ea5410633dbc8b143bef6fa77a9670a07a3fd85f9921e1094ab416e",
+    "zh:5320a267adb8506c23941df1c4cba56a176d0b9e0441f247fe714d34a514fcc8",
+    "zh:58376699c8941c109e49db7edfca4f83ec47b5b46619346380ca79d50902623e",
+    "zh:61f86a37dcb30167d1bfb84428b821de10c73cdec1ef911f167991ebc7eb9cd5",
+    "zh:6e99b5cf0f5987e3e3e24e26af12084f741a0f0b79a04d0b7e6703525cf4633e",
+    "zh:81c39322353f7da1c84c4ec82b6e7de70131156b256de21aee741240694e5bef",
+    "zh:bbec3872accea0294c86f812d668f9e2e8255b3d1f7424b39ddc261d6d02e036",
+    "zh:c1b56e5c4e82c683baf7854153caa85c600001ca6d1405f0d82a1aa29a600375",
+    "zh:cf4e41422aba2435f68bf1cf6c1e83315fe70c810dfd7e81a581d94490d6870b",
+    "zh:d86a2383e7fae38c9ea80f87d27d34d46a13fa24579b4612a248c888a3c9e265",
+    "zh:df693bc3156a2d632843abad9294d9192d1569039800c59e8a594c1b8e0fc9df",
+    "zh:e1a7148102d5a169dfb24c0de8441f3a9c25363976f4f2ce97f4c0b2e904302c",
+  ]
+}

tofu/authentik/main.tf

@@ -0,0 +1,32 @@
+terraform {
+  backend "s3" {
+    bucket = "fuku-terraform"
+    key    = "authentik/terraform"
+    region = "us-east-1"
+  }
+  required_providers {
+    authentik = {
+      source  = "goauthentik/authentik"
+      version = "2024.2.0"
+    }
+  }
+}
+
+data "authentik_user" "catalin" {
+  username = "catalin"
+}
+
+resource "authentik_group" "ci" {
+  name  = "ci"
+  users = [data.authentik_user.catalin.id]
+}
+
+module "argo-workflows" {
+  source              = "../modules/authentik"
+  app_name            = "Argo Workflows"
+  app_slug            = "argo-workflows"
+  client_id           = var.argo_workflows_client_id
+  client_secret       = var.argo_workflows_client_secret
+  app_access_group_id = authentik_group.ci.id
+  redirect_uris = ["https://ci.fuku/oauth2/callback"]
+}

tofu/authentik/sample.env

@@ -0,0 +1,4 @@
+ AUTHENTIK_URL=https://auth.fukurokuju.dev
+ AUTHENTIK_TOKEN=
+ TF_VAR_argo_workflows_client_id=
+ TF_VAR_argo_workflows_client_secret=

tofu/authentik/vars.tf

@@ -0,0 +1,9 @@
+variable "argo_workflows_client_id" {
+  description = "Client ID"
+  type        = string
+}
+
+variable "argo_workflows_client_secret" {
+  description = "Client secret"
+  type        = string
+}

tofu/modules/authentik/main.tf

@@ -0,0 +1,45 @@
+terraform {
+  required_providers {
+    authentik = {
+      source  = "goauthentik/authentik"
+      version = "2024.2.0"
+    }
+  }
+}
+data "authentik_flow" "default-authorization-flow" {
+  slug = "default-provider-authorization-implicit-consent"
+}
+
+data "authentik_scope_mapping" "default-scopes" {
+  managed_list = [
+    "goauthentik.io/providers/oauth2/scope-email",
+    "goauthentik.io/providers/oauth2/scope-openid",
+    "goauthentik.io/providers/oauth2/scope-profile",
+    "goauthentik.io/providers/oauth2/scope-offline_access",
+  ]
+}
+
+
+resource "authentik_provider_oauth2" "provider_oidc" {
+  name               = var.app_name
+  client_id          = var.client_id
+  client_secret      = var.client_secret
+  authorization_flow = data.authentik_flow.default-authorization-flow.id
+  redirect_uris      = var.redirect_uris
+  property_mappings  = data.authentik_scope_mapping.default-scopes.ids
+  sub_mode           = var.sub_mode
+  signing_key        = var.oidc_signing_key
+}
+
+
+resource "authentik_application" "app" {
+  name              = var.app_name
+  slug              = var.app_slug
+  protocol_provider = authentik_provider_oauth2.provider_oidc.id
+
+}
+resource "authentik_policy_binding" "app_access" {
+  target = authentik_application.app.uuid
+  group  = var.app_access_group_id
+  order  = 0
+}

tofu/modules/authentik/vars.tf

@@ -0,0 +1,40 @@
+variable "app_name" {
+  description = "App name"
+  type        = string
+}
+
+variable "app_slug" {
+  description = "App slug, a human-readable URL identifier, e.g.: Google -> google"
+  type        = string
+}
+
+variable "client_id" {
+  description = "Client ID"
+  type        = string
+}
+
+variable "client_secret" {
+  description = "Client secret"
+  type        = string
+}
+
+variable "app_access_group_id" {
+  description = "ID of a group which will have access to the app"
+  type        = string
+}
+
+variable "redirect_uris" {
+  description = "List of URIs allowed to redirect to"
+  type        = list(string)
+}
+
+variable "sub_mode" {
+  type = string
+  default = "user_username"
+}
+
+variable "oidc_signing_key" {
+  type        = string
+  description = "Signing key"
+  default     = "c4ff5edf-3cad-4093-9326-44fea088e670"
+}