This post goes over how to setup single sign on ArgoCD. I use GitHub for the OAuth client but any client should also work.
OAuth GitHub App
Creating an OAuth app - GitHub Docs
From your GitHub account create a new OAuth application https://github.com/settings/developers
Fill out the form the callback URL will be https://ARGOCD_DOMAIN/api/dex/callback
Once the app has been created click on Generate Client secret. Copy the secret string that is generated to somewhere secure, it will be used in the next step.
Storage of Secret
If your using not AWS and ExternalSecret skip to the step Manual Secret
Note both ways require that the secret has the label app.kubernetes.io/part-of: argocd
AWS Secrets Manager
Create a AWS secret called k8s/argocd/oidc
The the keys:
- clientID: The value taken from the GitHub OAuth app Client ID
- clientSecret: Client secret
Using external secret store reference the secret just created.
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: argocd-oidc-secret
namespace: argocd
spec:
dataFrom:
- extract:
conversionStrategy: Default
decodingStrategy: None
key: k8s/argocd/oidc
refreshInterval: 1m
secretStoreRef:
kind: ClusterSecretStore
name: aws-secret-store
target:
creationPolicy: Owner
deletionPolicy: Retain
template:
metadata:
labels:
app.kubernetes.io/part-of: argocd
Manual Secret
Create a secret that contains the clientID and clientSecret.
apiVersion: v1
kind: Secret
metadata:
name: argocd-oidc-secret
namespace: argocd
labels:
app.kubernetes.io/part-of: argocd
data:
clientID: # base64 clientID
clientSecret: # base64 clientSecret
type: Opaque
ArgoCD OIDC
Reference ArgoCD Documentation
Edit the configmap argocd-cm and add the following data items.
data:
url: https://argocd.example.com
dex.config: |
connectors:
- type: github
id: github
name: GitHub
config:
clientID: $argocd-oidc-secret:clientID
clientSecret: $argocd-oidc-secret:clientSecret
orgs:
- name: GITHUB_ORG
Replace the URL with your domain name and GITHUB_ORG with your GitHub org.
If the change is not automatically picked up restart the dex deployment or the application server.
kubectl rollout restart -n argocd deployment argo-cd-argocd-dex-server
Permissions
Edit the configmap argocd-rbac-cm
The following grants all users in the GITHUB_ORG GitHub group GROUP readonly.
data:
policy.csv: |
g, GITHUB_ORG:GROUP, role:readonly
ArgoCD has default policies for readonly and admin which can be found here.
A example of having custom permissions for read only:
p, role:project-readonly, repositories, get, [email protected]:GITHUB_ORG/REPO.git, allow
p, role:project-readonly, projects, get, PROJECT, allow
p, role:project-readonly, applications, get, PROJECT/*, allow
p, role:project-readonly, logs, get, PROJECT/*, allow
It can then be assigned the same way g, GITHUB_ORG:GROUP, role:project-readonly