This post goes over how to setup single sign on ArgoCD. I use GitHub for the OAuth client but any client should also work.

ArgoCD SSO with Dex

OAuth GitHub App

Creating an OAuth app - GitHub Docs

From your GitHub account create a new OAuth application https://github.com/settings/developers

Fill out the form the callback URL will be https://ARGOCD_DOMAIN/api/dex/callback

Once the app has been created click on Generate Client secret. Copy the secret string that is generated to somewhere secure, it will be used in the next step.

Storage of Secret

If your using not AWS and ExternalSecret skip to the step Manual Secret

Note both ways require that the secret has the label app.kubernetes.io/part-of: argocd

AWS Secrets Manager

Create a AWS secret called k8s/argocd/oidc

The the keys:

  • clientID: The value taken from the GitHub OAuth app Client ID
  • clientSecret: Client secret

Using external secret store reference the secret just created.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: argocd-oidc-secret
  namespace: argocd
spec:
  dataFrom:
    - extract:
        conversionStrategy: Default
        decodingStrategy: None
        key: k8s/argocd/oidc
  refreshInterval: 1m
  secretStoreRef:
    kind: ClusterSecretStore
    name: aws-secret-store
  target:
    creationPolicy: Owner
    deletionPolicy: Retain
    template:
      metadata:
        labels:
          app.kubernetes.io/part-of: argocd

Manual Secret

Create a secret that contains the clientID and clientSecret.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

apiVersion: v1
kind: Secret
metadata:
  name: argocd-oidc-secret
  namespace: argocd
  labels:
    app.kubernetes.io/part-of: argocd
data:
  clientID: # base64 clientID
  clientSecret: # base64 clientSecret
type: Opaque

ArgoCD OIDC

Reference ArgoCD Documentation

Edit the configmap argocd-cm and add the following data items.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

data:
  url: https://argocd.example.com
  dex.config: |
    connectors:
      - type: github
        id: github
        name: GitHub
        config:
          clientID: $argocd-oidc-secret:clientID
          clientSecret: $argocd-oidc-secret:clientSecret
          orgs:
            - name: GITHUB_ORG

Replace the URL with your domain name and GITHUB_ORG with your GitHub org.

If the change is not automatically picked up restart the dex deployment or the application server.

kubectl rollout restart -n argocd deployment argo-cd-argocd-dex-server

Permissions

Edit the configmap argocd-rbac-cm

The following grants all users in the GITHUB_ORG GitHub group GROUP readonly.

1
2
3

data:
  policy.csv: |
    g, GITHUB_ORG:GROUP, role:readonly

ArgoCD has default policies for readonly and admin which can be found here.

A example of having custom permissions for read only:

1
2
3
4

p, role:project-readonly, repositories, get, [email protected]:GITHUB_ORG/REPO.git, allow
p, role:project-readonly, projects, get, PROJECT, allow
p, role:project-readonly, applications, get, PROJECT/*, allow
p, role:project-readonly, logs, get, PROJECT/*, allow

It can then be assigned the same way g, GITHUB_ORG:GROUP, role:project-readonly