From 33a2ad843a96ca5bbdb56f704f0089fd55fbbf8f Mon Sep 17 00:00:00 2001
From: Kevin Powell Noumbissie <10553243+KepoParis@users.noreply.github.com>
Date: Mon, 9 Mar 2026 12:31:44 +0100
Subject: [PATCH] feat: update Argo CD oidc configuration to support multizones

---
 .../keycloak/templates/argocd-redirectUris.yaml.j2  |  6 ++++++
 .../keycloak/templates/argocd-webOrigins.yaml.j2    |  6 ++++++
 roles/gitops/post-install/keycloak/vars/main.yaml   |  7 ++-----
 roles/socle-config/templates/crd-conf-dso.yaml      | 13 +++++++++++++
 4 files changed, 27 insertions(+), 5 deletions(-)
 create mode 100644 roles/gitops/post-install/keycloak/templates/argocd-redirectUris.yaml.j2
 create mode 100644 roles/gitops/post-install/keycloak/templates/argocd-webOrigins.yaml.j2

diff --git a/roles/gitops/post-install/keycloak/templates/argocd-redirectUris.yaml.j2 b/roles/gitops/post-install/keycloak/templates/argocd-redirectUris.yaml.j2
new file mode 100644
index 000000000..cbbff7709
--- /dev/null
+++ b/roles/gitops/post-install/keycloak/templates/argocd-redirectUris.yaml.j2
@@ -0,0 +1,6 @@
+- https://{{ argocd_domain }}/auth/callback
+{% if dsc.argocd.secondaryZones is defined and dsc.argocd.secondaryZones %}
+{% for zone in dsc.argocd.secondaryZones %}
+- https://{{ zone.domain }}/auth/callback
+{% endfor %}
+{% endif %}
\ No newline at end of file
diff --git a/roles/gitops/post-install/keycloak/templates/argocd-webOrigins.yaml.j2 b/roles/gitops/post-install/keycloak/templates/argocd-webOrigins.yaml.j2
new file mode 100644
index 000000000..fca54b8dd
--- /dev/null
+++ b/roles/gitops/post-install/keycloak/templates/argocd-webOrigins.yaml.j2
@@ -0,0 +1,6 @@
+- https://{{ argocd_domain }}
+{% if dsc.argocd.secondaryZones is defined and dsc.argocd.secondaryZones %}
+{% for zone in dsc.argocd.secondaryZones %}
+- https://{{ zone.domain }}
+{% endfor %}
+{% endif %}
\ No newline at end of file
diff --git a/roles/gitops/post-install/keycloak/vars/main.yaml b/roles/gitops/post-install/keycloak/vars/main.yaml
index 8aa3b0840..1111297bf 100644
--- a/roles/gitops/post-install/keycloak/vars/main.yaml
+++ b/roles/gitops/post-install/keycloak/vars/main.yaml
@@ -37,11 +37,8 @@ keycloak_clients:
     clientAuthenticatorType: client-secret
     standardFlowEnabled: true
     directAccessGrantsEnabled: true
-    redirectUris:
-      - https://{{ argocd_domain }}/auth/callback
-      - "*"
-    webOrigins:
-      - https://{{ argocd_domain }}
+    redirectUris: "{{ lookup('ansible.builtin.template', 'argocd-redirectUris.yaml.j2') | from_yaml }}"
+    webOrigins: "{{ lookup('ansible.builtin.template', 'argocd-webOrigins.yaml.j2') | from_yaml }}"
     defaultClientScopes:
       - basic
       - generic
diff --git a/roles/socle-config/templates/crd-conf-dso.yaml b/roles/socle-config/templates/crd-conf-dso.yaml
index d30bccc0b..e8fdee72b 100644
--- a/roles/socle-config/templates/crd-conf-dso.yaml
+++ b/roles/socle-config/templates/crd-conf-dso.yaml
@@ -160,6 +160,19 @@ spec:
                     zoneChartVersion:
                       description: Version of the Helm Chart to use to manage zone objects. See https://github.com/cloud-pi-native/helm-charts/tree/main/charts/dso-argocd-zone
                       type: string
+                    secondaryZones:
+                      description: List of secondary zones each run an Argo CD instance to manage all applications deployed in the secondary zone.
+                      type: array
+                      default: []
+                      items:
+                        type: object
+                        properties:
+                          name:
+                            description: Name of the zone.
+                            type: string
+                          domain:
+                            description: The fully qualified domain name of the Argo CD of the zone.
+                            type: string
                   required:
                     - admin
                     - installEnabled