feat: automated deployment for argocd in single cluster mode

Author: Jagoum

argocd/deploy-argocd/.gitignore

@@ -0,0 +1,28 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash logs
+crash.log
+crash.*.log
+
+# Sensitive variable files (where you store your Keycloak credentials)
+*.tfvars
+*.tfvars.json
+override.tf
+override.tf.json
+_override.tf
+_override.tf.json
+
+# Local environment files
+.envrc
+.env
+
+# MacOS files
+.DS_Store
+
+# Helm local cache/logs
+.helm/

argocd/deploy-argocd/README.md

@@ -0,0 +1,18 @@
+# Modular ArgoCD Deployment with Keycloak OIDC & RBAC
+
+This Terraform module deploys **ArgoCD** into a Kubernetes cluster using the official Helm chart. It is designed to be modular, supporting deployment to different clusters (Control Plane vs. Workload) with toggleable features for **Keycloak (OIDC) integration** and **RBAC (Role-Based Access Control)**.
+
+---
+
+##  Directory Structure
+
+```text
+.
+├── modules/
+│   └── argocd/               # Core Logic (Don't touch unless modifying the blueprint)
+└── environments/
+    └── control-plane/        # Deployment configuration for your specific cluster
+        ├── main.tf
+        ├── variables.tf      # Define your cluster context and secrets here
+        ├── terraform.tfvars  # (Optional) Store non-sensitive values here
+        └── providers.tf      # Configures connection to the specific K8s cluster

argocd/deploy-argocd/main.tf

@@ -0,0 +1,98 @@
+# =============================================================================
+# SECTION 1: KEYCLOAK CONFIGURATION
+# Configure the existing Keycloak to accept ArgoCD logins
+# =============================================================================
+
+# 1. Create the OIDC Client
+resource "keycloak_openid_client" "argocd" {
+  realm_id                     = var.target_realm
+  client_id                    = "argocd-client"
+  name                         = "ArgoCD"
+  enabled                      = true
+  access_type                  = "CONFIDENTIAL"
+  standard_flow_enabled        = true
+  direct_access_grants_enabled = true
+
+  # This must match your ArgoCD URL exactly
+  valid_redirect_uris = [
+    "${var.argocd_url}/auth/callback",
+    "${var.argocd_url}/*"  # Temporary wildcard to troubleshoot
+  ]
+}
+
+resource "keycloak_openid_client_default_scopes" "client_default_scopes" {
+  realm_id  = var.target_realm
+  client_id = keycloak_openid_client.argocd.id
+
+  default_scopes = [
+    "openid",
+    "profile",
+    "email",
+    "roles"
+  ]
+}
+
+# 2. Create the Client Secret
+# (The provider generates this automatically, we just access it later)
+
+# 3. Create Group Mapper
+# This ensures Keycloak sends the "groups" claim so ArgoCD can do RBAC
+resource "keycloak_openid_group_membership_protocol_mapper" "groups" {
+  realm_id   = var.target_realm
+  client_id  = keycloak_openid_client.argocd.id
+  name       = "group-mapper"
+  claim_name = "groups"
+  full_path = false
+}
+
+# =============================================================================
+# SECTION 2: ARGOCD DEPLOYMENT (HELMS)
+# Deploy ArgoCD to GKE and inject the secrets from Section 1
+# =============================================================================
+
+resource "helm_release" "argocd-test" {
+  name             = "argocd"
+  repository       = "https://argoproj.github.io/argo-helm"
+  chart            = "argo-cd"
+  namespace        = "argocd-test"
+  create_namespace = true
+  version          = "5.51.0" 
+  skip_crds = true
+
+  # Using values (YAML) instead of set avoids comma parsing errors entirely
+  values = [
+    yamlencode({
+      configs = {
+        cm = {
+          url = var.argocd_url
+          "oidc.config" = yamlencode({
+            name            = "Keycloak"
+            issuer          = "${var.keycloak_url}/realms/${var.target_realm}"
+            clientID        = keycloak_openid_client.argocd.client_id
+            clientSecret    = keycloak_openid_client.argocd.client_secret
+            requestedScopes = ["openid", "profile", "email"]
+
+            rootCA = ""
+          })
+        }
+        rbac = {
+          "policy.csv" = "g, /ArgoCDAdmins, role:admin"
+        }
+      }
+      server = {
+        service = {
+          type = "LoadBalancer"
+        }
+      }
+    })
+  ]
+}
+
+# =============================================================================
+# OUTPUTS
+# =============================================================================
+
+output "argocd_admin_secret" {
+  value = keycloak_openid_client.argocd.client_secret
+  sensitive = true
+}

argocd/deploy-argocd/provider.tf

@@ -0,0 +1,28 @@
+terraform {
+  required_providers {
+    keycloak = {
+      source  = "mrparkers/keycloak"
+      version = ">= 4.0.0"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = ">= 2.0.0"
+    }
+  }
+}
+
+# 1. Connect to your EXISTING Keycloak
+provider "keycloak" {
+  client_id = "admin-cli"
+  url       = var.keycloak_url      # e.g. https://auth.example.com
+  username  = var.keycloak_user
+  password  = var.keycloak_password
+}
+
+# 2. Connect to GKE using your local terminal credentials
+provider "helm" {
+  kubernetes = {
+    config_path    = "~/.kube/config"
+    config_context = var.kube_context # Optional: specify if you have multiple contexts
+  }
+}

argocd/deploy-argocd/variables.tf

@@ -0,0 +1,33 @@
+# --- Keycloak Settings ---
+variable "keycloak_url" {
+  description = "The URL of your existing Keycloak (e.g., https://auth.example.com)"
+  type        = string
+}
+
+variable "keycloak_user" {
+  description = "Keycloak Admin Username"
+  type        = string
+}
+
+variable "keycloak_password" {
+  description = "Keycloak Admin Password"
+  type        = string
+  sensitive   = true
+}
+
+variable "target_realm" {
+  description = "The Keycloak Realm where ArgoCD will be registered"
+  default     = "argocd" # Change if using a specific realm
+}
+
+# --- ArgoCD Settings ---
+variable "argocd_url" {
+  description = "The final URL where you will access ArgoCD (e.g., https://argocd.example.com)"
+  type        = string
+}
+
+variable "kube_context" {
+  description = "The context name in your kubeconfig (run 'kubectl config current-context')"
+  type        = string
+  default     = "" # If empty, uses current context
+}