This is a cache of https://docs.openshift.com/container-platform/4.7/cicd/gitops/configuring-sso-for-argo-cd-on-openshift.html. It is a snapshot of the page at 2024-11-27T22:04:01.588+0000.
Configuring SSO for Argo CD on OpenShift - GitOps | CI/CD | OpenShift Container Platform 4.7
×

After the Red Hat OpenShift GitOps Operator is installed, Argo CD automatically creates a user with admin permissions. To manage multiple users, Argo CD allows cluster administrators to configure SSO.

Bundled Dex OIDC provider is not supported.

Prerequisites
  • Red Hat SSO is installed on the cluster.

Creating a new client in Keycloak

Procedure
  1. Log in to your Keycloak server, select the realm you want to use, navigate to the Clients page, and then click Create in the upper-right section of the screen.

  2. Specify the following values:

    Client ID

    argocd

    Client Protocol

    openid-connect

    Route URL

    <your-argo-cd-route-url>

    Access Type

    confidential

    Valid Redirect URIs

    <your-argo-cd-route-url>/auth/callback

    Base URL

    /applications

  3. Click Save to see the Credentials tab added to the Client page.

  4. Copy the secret from the Credentials tab for further configuration.

Configuring the groups claim

To manage users in Argo CD, you must configure a groups claim that can be included in the authentication token.

Procedure
  1. In the Keycloak dashboard, navigate to Client Scope and add a new client with the following values:

    Name

    groups

    Protocol

    openid-connect

    Display On Content Scope

    On

    Include to Token Scope

    On

  2. Click Save and navigate to groupsMappers.

  3. Add a new token mapper with the following values:

    Name

    groups

    Mapper Type

    Group Membership

    Token Claim Name

    groups

    The token mapper adds the groups claim to the token when the client requests groups.

  4. Navigate to ClientsClient Scopes and configure the client to provide the groups scope. Select groups in the Assigned Default Client Scopes table and click Add selected. The groups scope must be in the Available Client Scopes table.

  5. Navigate to UsersAdminGroups and create a group ArgoCDAdmins.

Configuring Argo CD OIDC

To configure Argo CD OpenID Connect (OIDC), you must generate your client secret, encode it, and add it to your custom resource.

Prerequisites
  • You have obtained your client secret.

Procedure
  1. Store the client secret you generated.

    1. Encode the client secret in base64:

      $ echo -n '83083958-8ec6-47b0-a411-a8c55381fbd2' | base64
    2. Edit the secret and add the base64 value to an oidc.keycloak.clientSecret key:

      $ oc edit secret argocd-secret -n <namespace>
      Example YAML of the secret
      apiVersion: v1
      kind: Secret
      metadata:
        name: argocd-secret
      data:
        oidc.keycloak.clientSecret: ODMwODM5NTgtOGVjNi00N2IwLWE0MTEtYThjNTUzODFmYmQy
  2. Edit the argocd custom resource and add the OIDC configuration to enable the Keycloak authentication:

    $ oc edit argocd -n <your_namespace>
    Example of argocd custom resource
    apiVersion: argoproj.io/v1alpha1
    kind: ArgoCD
    metadata:
      creationTimestamp: null
      name: argocd
      namespace: argocd
    spec:
      resourceExclusions: |
        - apiGroups:
          - tekton.dev
          clusters:
          - '*'
          kinds:
          - TaskRun
          - PipelineRun
      oidcConfig: |
        name: OpenShift Single Sign-On
        issuer: https://keycloak.example.com/auth/realms/myrealm (1)
        clientID: argocd (2)
        clientSecret: $oidc.keycloak.clientSecret (3)
        requestedScopes: ["openid", "profile", "email", "groups"] (4)
      server:
        route:
          enabled: true
    1 issuer must end with the correct realm name (in this example myrealm).
    2 clientID is the Client ID you configured in your Keycloak account.
    3 clientSecret points to the right key you created in the argocd-secret secret.
    4 requestedScopes contains the groups claim if you did not add it to the Default scope.

Keycloak Identity Brokering with OpenShift

You can configure a Keycloak instance to use OpenShift for authentication through Identity Brokering. This allows for Single Sign-On (SSO) between the OpenShift cluster and the Keycloak instance.

Prerequisites
  • jq CLI tool is installed.

Procedure
  1. Obtain the OpenShift Container Platform API URL:

    $ curl -s -k -H "Authorization: Bearer $(oc whoami -t)" https://<openshift-user-facing-api-url>/apis/config.openshift.io/v1/infrastructures/cluster | jq ".status.apiServerURL".

    The address of the OpenShift Container Platform API is often protected by HTTPS. Therefore, you must configure X509_CA_BUNDLE in the container and set it to /var/run/secrets/kubernetes.io/serviceaccount/ca.crt. Otherwise, Keycloak cannot communicate with the API Server.

  2. In the Keycloak server dashboard, navigate to Identity Providers and select Openshift v4. Specify the following values:

    Base Url

    OpenShift 4 API URL

    Client ID

    keycloak-broker

    Client Secret

    A secret that you want define

    Now you can log in to Argo CD with your OpenShift credentials through Keycloak as an Identity Broker.

Registering an additional an OAuth client

If you need an additional OAuth client to manage authentication for your OpenShift Container Platform cluster, you can register one.

Procedure
  • To register your client:

    $ oc create -f <(echo '
    kind: OAuthClient
    apiVersion: oauth.openshift.io/v1
    metadata:
     name: keycloak-broker (1)
    secret: "..." (2)
    redirectURIs:
    - "https://keycloak-keycloak.apps.dev-svc-4.7-020201.devcluster.openshift.com/auth/realms/myrealm/broker/openshift-v4/endpoint" (3)
    grantMethod: prompt (4)
    ')
1 The name of the OAuth client is used as the client_id parameter when making requests to <namespace_route>/oauth/authorize and <namespace_route>/oauth/token.
2 The secret is used as the client_secret parameter when making requests to <namespace_route>/oauth/token.
3 The redirect_uri parameter specified in requests to <namespace_route>/oauth/authorize and <namespace_route>/oauth/token must be equal to or prefixed by one of the URIs listed in the redirectURIs parameter value.
4 If the user has not granted access to this client, the grantMethod determines which action to take when this client requests tokens. Specify auto to automatically approve the grant and retry the request, or prompt to prompt the user to approve or deny the grant.

Configure groups and Argo CD RBAC

Role-based access control (RBAC) allows you to provide relevant permissions to users.

Prerequisites
  • You have created the ArgoCDAdmins group in Keycloak.

  • The user you want to give permissions to has logged in to Argo CD.

Procedure
  1. In the Keycloak dashboard navigate to UsersGroups. Add the user to the Keycloak group ArgoCDAdmins.

  2. Ensure that ArgoCDAdmins group has the required permissions in the argocd-rbac config map.

    • Edit the config map:

      $ oc edit configmap argocd-rbac-cm -n <namespace>
      Example of a config map that defines admin permissions.
      apiVersion: v1
      kind: ConfigMap
      metadata:
        name: argocd-rbac-cm
      data:
        policy.csv: |
          g, /ArgoCDAdmins, role:admin

In-built permissions for Argo CD

This section lists the permissions that are granted to ArgoCD to manage specific cluster-scoped resources which include cluster operators, optional OLM operators, and user management. Note that ArgoCD is not granted cluster-admin permissions.

Table 1. Permissions granted to Argo CD

Resource group

What it configures for a user or an administrator

operators.coreos.com

Optional operators managed by OLM

user.openshift.io, rbac.authorization.k8s.io

Groups, Users, and their permissions

config.openshift.io

Control plane operators managed by CVO used to configure cluster-wide build configuration, registry configuration, and scheduler policies

storage.k8s.io

Storage

console.openshift.io

Console customization