diff --git a/manifests/platform/argocd/operator/components/argocd.yaml b/manifests/platform/argocd/operator/components/argocd.yaml index 3d23006..34c476d 100644 --- a/manifests/platform/argocd/operator/components/argocd.yaml +++ b/manifests/platform/argocd/operator/components/argocd.yaml @@ -103,9 +103,9 @@ spec: # https://argocd-operator.readthedocs.io/en/latest/reference/argocd/#oidc-config oidcConfig: | name: azure - issuer: https://login.microsoftonline.com//v2.0 - clientID: - clientSecret: + issuer: https://login.microsoftonline.com//v2.0 + clientID: + clientSecret: # Optional set of OIDC scopes to request. If omitted, defaults to: ["openid", "profile", "email", "groups"] requestedScopes: ["openid", "profile", "email", "groups"] # Optional set of OIDC claims to request on the ID token. diff --git a/terraform/okd/main.tf b/terraform/okd/main.tf index 2e326c5..f7f98d1 100644 --- a/terraform/okd/main.tf +++ b/terraform/okd/main.tf @@ -153,6 +153,28 @@ resource "google_secret_manager_secret_iam_member" "quay_pull_secret_accessor" { member = "principal://iam.googleapis.com/projects/${data.google_project.okd_homelab.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.okd_pool.workload_identity_pool_id}/subject/system:serviceaccount:argocd:external-secrets" } +# argocd SA access to Azure AD secrets +resource "google_secret_manager_secret_iam_member" "argocd_azure_tenant_id_accessor" { + project = data.google_project.okd_homelab.project_id + secret_id = "azure_tenant_id" + role = "roles/secretmanager.secretAccessor" + member = "principal://iam.googleapis.com/projects/${data.google_project.okd_homelab.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.okd_pool.workload_identity_pool_id}/subject/system:serviceaccount:argocd:argocd-argocd-repo-server" +} + +resource "google_secret_manager_secret_iam_member" "argocd_azure_client_id_accessor" { + project = data.google_project.okd_homelab.project_id + secret_id = "azure_client_id" + role = "roles/secretmanager.secretAccessor" + member = "principal://iam.googleapis.com/projects/${data.google_project.okd_homelab.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.okd_pool.workload_identity_pool_id}/subject/system:serviceaccount:argocd:argocd-argocd-repo-server" +} + +resource "google_secret_manager_secret_iam_member" "argocd_azure_client_secret_accessor" { + project = data.google_project.okd_homelab.project_id + secret_id = "azure_client_secret" + role = "roles/secretmanager.secretAccessor" + member = "principal://iam.googleapis.com/projects/${data.google_project.okd_homelab.number}/locations/global/workloadIdentityPools/${google_iam_workload_identity_pool.okd_pool.workload_identity_pool_id}/subject/system:serviceaccount:argocd:argocd-argocd-repo-server" +} + # Azure ------------------------------------------------------------------------------------------------------------------ resource "azuread_application" "okd_cluster" { diff --git a/terraform/okd/provider.tf b/terraform/okd/provider.tf index a3f944f..4f82524 100644 --- a/terraform/okd/provider.tf +++ b/terraform/okd/provider.tf @@ -1,8 +1,3 @@ -provider "google" { - project = var.homelab_project_id - region = "us-east1" -} - provider "azuread" { tenant_id = var.azure_tenant_id } \ No newline at end of file diff --git a/terraform/okd/variables.tf b/terraform/okd/variables.tf index e273a87..497ea6e 100644 --- a/terraform/okd/variables.tf +++ b/terraform/okd/variables.tf @@ -1,8 +1,3 @@ -variable "homelab_project_id" { - description = "The GCP project ID for homelab management." - type = string -} - variable "azure_tenant_id" { description = "The tenant ID for Azure Active Directory." type = string