This is a cache of https://docs.openshift.com/container-platform/4.8/cicd/gitops/configuring-sso-for-argo-cd-using-keycloak.html. It is a snapshot of the page at 2024-11-22T20:26:12.454+0000.
Configuring SSO for Argo CD using Keycloak - GitOps | CI/CD | OpenShift Container Platform 4.8
×

After the Red Hat OpenShift GitOps Operator is installed, Argo CD automatically creates a user with admin permissions. To manage multiple users, cluster administrators can use Argo CD to configure Single Sign-On (SSO).

Prerequisites
  • Red Hat SSO is installed on the cluster.

  • Argo CD is installed on the cluster.

Configuring a new client in Keycloak

Dex is installed by default for all the Argo CD instances created by the Operator. However, you can delete the Dex configuration and add Keycloak instead to log in to Argo CD using your OpenShift credentials. Keycloak acts as an identity broker between Argo CD and OpenShift.

Procedure

To configure Keycloak, follow these steps:

  1. Delete the Dex configuration by removing the following section from the Argo CD Custom Resource (CR), and save the CR:

    dex:
        openShiftOAuth: true
        resources:
          limits:
            cpu:
            memory:
          requests:
            cpu:
            memory:
  2. Configure Keycloak by editing the Argo CD CR, and updating the value for the provider parameter as keycloak. For example:

    apiVersion: argoproj.io/v1alpha1
    kind: ArgoCD
    metadata:
      name: example-argocd
      labels:
        example: basic
    spec:
      sso:
        provider: keycloak
      server:
        route:
         enabled: true

The Keycloak instance takes 2-3 minutes to install and run.

Logging in to Keycloak

Log in to the Keycloak console to manage identities or roles and define the permissions assigned to the various roles.

Prerequisites
  • The default configuration of Dex is removed.

  • Your Argo CD CR must be configured to use the Keycloak SSO provider.

Procedure
  1. Get the Keycloak route URL for login:

    $ oc -n argocd get route keycloak
    
    NAME        HOST/PORT                                                        PATH   SERVICES   PORT    TERMINATION   WILDCARD
    keycloak    keycloak-default.apps.ci-ln-******.origin-ci-int-aws.dev.**.com         keycloak   <all>    reencrypt     None
  2. Get the Keycloak pod name that stores the user name and password as environment variables:

    $ oc -n argocd get pods
    
    NAME                      READY   STATUS           RESTARTS   AGE
    keycloak-1-2sjcl           1/1    Running            0        45m
    1. Get the Keycloak user name:

      $ oc -n argocd exec keycloak-1-2sjcl -- "env" | grep SSO_ADMIN_USERNAME
      
      SSO_ADMIN_USERNAME=Cqid54Ih
    2. Get the Keycloak password:

      $ oc -n argocd exec keycloak-1-2sjcl -- "env" | grep SSO_ADMIN_PASSWORD
      
      SSO_ADMIN_PASSWORD=GVXxHifH
  3. On the login page, click LOG IN VIA KEYCLOAK.

    You only see the option LOGIN VIA KEYCLOAK after the Keycloak instance is ready.

  4. Click Login with OpenShift.

    Login using kubeadmin is not supported.

  5. Enter the OpenShift credentials to log in.

  6. Optional: By default, any user logged in to Argo CD has read-only access. You can manage the user level access by updating the argocd-rbac-cm config map:

    policy.csv:
    <name>, <email>, role:admin

Integrating Keycloak with the OpenShift OAuth server in a disconnected cluster

In a disconnected cluster, Keycloak communicates with the OpenShift OAuth server through a proxy.

Procedure

Follow these steps to integrate Keycloak with the OpenShift OAuth server:

  1. Log in to the Keycloak pod:

    $ oc exec -it dc/keycloak -n argocd -- /bin/bash
  2. Launch the JBoss CLI tool to set up the proxy mappings:

    /opt/eap/bin/jboss-cli.sh
  3. In the JBoss CLI tool, run the following command to start an embedded standalone server:

    embed-server --server-config=standalone-openshift.xml
  4. Set up proxy mappings for the OpenShift OAuth server host:

    /subsystem=keycloak-server/spi=connectionsHttpClient/provider=default:write-attribute(name=properties.proxy-mappings,value=["<oauth-server-hostname>;http://<proxy-server-host>:<proxy-server-port>"])
  5. Stop the embedded server:

    quit
  6. Reload the JBoss CLI tool to apply the proxy mappings:

    /opt/eap/bin/jboss-cli.sh --connect --command=:reload

Uninstalling Keycloak

You can delete the Keycloak resources and their relevant configurations by removing the SSO field from the Argo CD Custom Resource (CR) file. After you remove the SSO field, the values in the file look similar to the following:

  apiVersion: argoproj.io/v1alpha1
  kind: ArgoCD
  metadata:
    name: example-argocd
    labels:
      example: basic
  spec:
    server:
      route:
       enabled: true

A Keycloak application created by using this method is currently not persistent. Additional configurations created in the Argo CD Keycloak realm are deleted when the server restarts.