FEAT(authelia): add SSO to Vault and ArgoCD

- Add Authelia SSO to vault and argocd ingress
- Enable single sign-on authentication

argocd/argocd-cm.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cm
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: argocd-cm
+    app.kubernetes.io/part-of: argocd
+data:
+  # Enable anonymous access (Authelia handles authentication)
+  users.anonymous.enabled: "true"

argocd/argocd-rbac-cm.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-rbac-cm
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: argocd-rbac-cm
+    app.kubernetes.io/part-of: argocd
+data:
+  # Grant admin role to anonymous users (Authelia handles authentication)
+  policy.csv: |
+    g, , role:admin
+  policy.default: role:admin

argocd/ingress.yaml

@@ -5,6 +5,7 @@ metadata:
   namespace: argocd
   annotations:
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    traefik.ingress.kubernetes.io/router.middlewares: authelia-authelia-auth@kubernetescrd
 spec:
   ingressClassName: traefik
   tls:

argocd/kustomization.yaml

@@ -2,5 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - namespace.yaml
+- argocd-cm.yaml
+- argocd-rbac-cm.yaml
 - argocd-cmd-params-cm.yaml
 - ingress.yaml

traefik/ingress.yaml

@@ -5,6 +5,7 @@ metadata:
   namespace: kube-system
   annotations:
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    traefik.ingress.kubernetes.io/router.middlewares: authelia-authelia-auth@kubernetescrd
 spec:
   ingressClassName: traefik
   tls: