From f8777a2c9695ece5cf0945e3388699cd243b5ed9 Mon Sep 17 00:00:00 2001
From: Simon Emms <simon@simonemms.com>
Date: Mon, 11 Nov 2024 21:51:37 +0000
Subject: [PATCH] feat(argocd): configure dex on argocd to use github

---
 .github/workflows/build.yml          |  4 +++
 modules/kubernetes/README.md         |  6 ++++
 modules/kubernetes/argocd.tf         | 45 ++++++++++++++++++++++++++--
 modules/kubernetes/files/argocd.yaml |  4 +++
 modules/kubernetes/variables.tf      | 22 ++++++++++++++
 5 files changed, 79 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5f76f52..f5e2354 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -20,6 +20,10 @@ env:
   TF_VAR_infisical_client_secret: ${{ secrets.INFISICAL_CLIENT_SECRET }}
   TF_VAR_ssh_key: ${{ secrets.SSH_KEY_PRIVATE }}
   TF_VAR_ssh_key_public: ${{ secrets.SSH_KEY_PUBLIC }}
+  TF_VAR_argocd_github_client_id: ${{ secrets.GH_CLIENT_ID }}
+  TF_VAR_argocd_github_client_secret: ${{ secrets.GH_CLIENT_SECRET }}
+  TF_VAR_argocd_github_org: ${{ secrets.GH_ORG }}
+  TF_VAR_argocd_github_teams: ${{ secrets.GH_TEAMS }}
   TF_VERSION: '1.9.3'
   TG_VERSION: '0.66.1'
   WORKING_DIR: stacks/prod
diff --git a/modules/kubernetes/README.md b/modules/kubernetes/README.md
index f0f044f..ea9aa24 100644
--- a/modules/kubernetes/README.md
+++ b/modules/kubernetes/README.md
@@ -30,7 +30,9 @@ No modules.
 | [helm_release.hcloud_ccm](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.hcloud_csi](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
 | [helm_release.ingress_nginx](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource |
+| [kubernetes_namespace_v1.argocd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace_v1) | resource |
 | [kubernetes_namespace_v1.external_secrets](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace_v1) | resource |
+| [kubernetes_secret_v1.github_secret](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource |
 | [kubernetes_secret_v1.hcloud](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource |
 | [kubernetes_secret_v1.infisical](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret_v1) | resource |
 | [random_integer.ingress_load_balancer_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/integer) | resource |
@@ -39,6 +41,10 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_argocd_github_client_id"></a> [argocd\_github\_client\_id](#input\_argocd\_github\_client\_id) | GitHub OIDC client ID for Dex | `string` | n/a | yes |
+| <a name="input_argocd_github_client_secret"></a> [argocd\_github\_client\_secret](#input\_argocd\_github\_client\_secret) | GitHub OIDC client secret for Dex | `string` | n/a | yes |
+| <a name="input_argocd_github_org"></a> [argocd\_github\_org](#input\_argocd\_github\_org) | GitHub org to use for Dex OIDC | `string` | n/a | yes |
+| <a name="input_argocd_github_teams"></a> [argocd\_github\_teams](#input\_argocd\_github\_teams) | GitHub teams to use for Dex OIDC | `list(string)` | n/a | yes |
 | <a name="input_argocd_version"></a> [argocd\_version](#input\_argocd\_version) | Version of ArgoCD to use - defaults to latest | `string` | `null` | no |
 | <a name="input_cluster_issuer"></a> [cluster\_issuer](#input\_cluster\_issuer) | Cluster issuer to use for certificate | `string` | `"letsencrypt-staging"` | no |
 | <a name="input_domain"></a> [domain](#input\_domain) | Domain to use - this may be a top-level or subdomain | `string` | n/a | yes |
diff --git a/modules/kubernetes/argocd.tf b/modules/kubernetes/argocd.tf
index 4ec6706..c0e931f 100644
--- a/modules/kubernetes/argocd.tf
+++ b/modules/kubernetes/argocd.tf
@@ -12,13 +12,34 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+resource "kubernetes_namespace_v1" "argocd" {
+  metadata {
+    name = "argocd"
+  }
+}
+
+resource "kubernetes_secret_v1" "github_secret" {
+  metadata {
+    name      = "github-oidc"
+    namespace = kubernetes_namespace_v1.argocd.metadata[0].name
+    labels = {
+      "app.kubernetes.io/part-of" = "argocd"
+    }
+  }
+
+  data = {
+    clientId     = var.argocd_github_client_id
+    clientSecret = var.argocd_github_client_secret
+  }
+}
+
 resource "helm_release" "argocd" {
   chart            = "argo-cd"
   name             = "argocd"
   atomic           = true
   cleanup_on_fail  = true
   create_namespace = true
-  namespace        = "argocd"
+  namespace        = kubernetes_namespace_v1.argocd.metadata[0].name
   repository       = "https://argoproj.github.io/argo-helm"
   reset_values     = true
   version          = var.argocd_version
@@ -29,7 +50,27 @@ resource "helm_release" "argocd" {
   values = [
     templatefile("${path.module}/files/argocd.yaml", {
       cluster_issuer = var.cluster_issuer
-      domain         = "argocd.${var.domain}"
+      dex_config = {
+        connectors = [
+          {
+            type = "github"
+            id   = "github"
+            name = "GitHub"
+            config = {
+              # Prepend with a $ so it looks for the secret
+              clientID     = join("", ["$", "${kubernetes_secret_v1.github_secret.metadata[0].name}:clientId"])
+              clientSecret = join("", ["$", "${kubernetes_secret_v1.github_secret.metadata[0].name}:clientSecret"])
+              orgs = [
+                {
+                  name  = var.argocd_github_org
+                  teams = var.argocd_github_teams
+                }
+              ]
+            }
+          }
+        ]
+      }
+      domain = "argocd.${var.domain}"
     })
   ]
 
diff --git a/modules/kubernetes/files/argocd.yaml b/modules/kubernetes/files/argocd.yaml
index ebcacfa..890c895 100644
--- a/modules/kubernetes/files/argocd.yaml
+++ b/modules/kubernetes/files/argocd.yaml
@@ -25,6 +25,10 @@ server:
         secretName: argocd-tls
 configs:
   cm:
+    admin.enabled: false
+    dex.config: |-
+      ${indent(6, yamlencode(dex_config))}
     statusbadge.enabled: true
+    url: https://${domain}
   params:
     server.insecure: true
diff --git a/modules/kubernetes/variables.tf b/modules/kubernetes/variables.tf
index eed0e87..4baa75f 100644
--- a/modules/kubernetes/variables.tf
+++ b/modules/kubernetes/variables.tf
@@ -18,6 +18,28 @@ variable "argocd_version" {
   default     = null
 }
 
+variable "argocd_github_org" {
+  type        = string
+  description = "GitHub org to use for Dex OIDC"
+}
+
+variable "argocd_github_teams" {
+  type        = list(string)
+  description = "GitHub teams to use for Dex OIDC"
+}
+
+variable "argocd_github_client_id" {
+  type        = string
+  description = "GitHub OIDC client ID for Dex"
+  sensitive   = true
+}
+
+variable "argocd_github_client_secret" {
+  type        = string
+  description = "GitHub OIDC client secret for Dex"
+  sensitive   = true
+}
+
 variable "cluster_issuer" {
   type        = string
   description = "Cluster issuer to use for certificate"