183 lines
5.0 KiB
Markdown
183 lines
5.0 KiB
Markdown
---
|
|
title: Integrate with ArgoCD
|
|
sidebar_label: ArgoCD
|
|
---
|
|
|
|
# ArgoCD
|
|
|
|
<span class="badge badge--secondary">Support level: Community</span>
|
|
|
|
## What is ArgoCD
|
|
|
|
> Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes.
|
|
>
|
|
> -- https://argoproj.github.io/cd/
|
|
|
|
## Preparation
|
|
|
|
The following placeholders will be used:
|
|
|
|
- `argocd.company` is the FQDN of the ArgoCD install.
|
|
- `authentik.company` is the FQDN of the authentik install.
|
|
|
|
:::note
|
|
Only settings that have been modified from default have been listed.
|
|
:::
|
|
|
|
## authentik Configuration
|
|
|
|
### Step 1 - Provider creation
|
|
|
|
In authentik, create an _OAuth2/OpenID Provider_ (under _Applications/Providers_) with these settings:
|
|
|
|
- Name: ArgoCD
|
|
- Client Type: `Confidential`
|
|
- Signing Key: Select any available key
|
|
- Redirect URIs:
|
|
|
|
```
|
|
https://argocd.company/api/dex/callback
|
|
http://localhost:8085/auth/callback
|
|
```
|
|
|
|
After creating the provider, take note of the `Client ID` and `Client Secret`, you'll need to give them to ArgoCD in the _ArgoCD Configuration_ field.
|
|
|
|
### Step 2 - Application creation
|
|
|
|
Create a new _Application_ (under _Applications/Applications_) with these settings:
|
|
|
|
- Name: ArgoCD
|
|
- Provider: ArgoCD
|
|
- Slug: argocd
|
|
- Launch URL: https://argocd.company/auth/login
|
|
|
|
### Step 3 - ArgoCD Group creation
|
|
|
|
Create a new _Group_ (under _Directory/Groups_) that'll be used as the admin group for ArgoCD (if you already have an "admin" group, you can skip this part!)
|
|
|
|
- Name: ArgoCD Admins
|
|
- Members: Add your user and/or any user that should be an ArgoCD admin
|
|
|
|
You can create another group for read-only access to ArgoCD as well if desired:
|
|
|
|
- Name: ArgoCD Viewers
|
|
- Members: Any user that should have ArgoCD read-only access
|
|
|
|
## Terraform provider
|
|
|
|
```hcl
|
|
data "authentik_flow" "default-provider-authorization-implicit-consent" {
|
|
slug = "default-provider-authorization-implicit-consent"
|
|
}
|
|
|
|
data "authentik_scope_mapping" "scope-email" {
|
|
name = "authentik default OAuth Mapping: OpenID 'email'"
|
|
}
|
|
|
|
data "authentik_scope_mapping" "scope-profile" {
|
|
name = "authentik default OAuth Mapping: OpenID 'profile'"
|
|
}
|
|
|
|
data "authentik_scope_mapping" "scope-openid" {
|
|
name = "authentik default OAuth Mapping: OpenID 'openid'"
|
|
}
|
|
|
|
resource "authentik_provider_oauth2" "argocd" {
|
|
name = "ArgoCD"
|
|
# Required. You can use the output of:
|
|
# $ openssl rand -hex 16
|
|
client_id = "my_client_id"
|
|
|
|
# Optional: will be generated if not provided
|
|
# client_secret = "my_client_secret"
|
|
|
|
authorization_flow = data.authentik_flow.default-provider-authorization-implicit-consent.id
|
|
|
|
redirect_uris = [
|
|
"https://argocd.company/api/dex/callback",
|
|
"http://localhost:8085/auth/callback"
|
|
]
|
|
|
|
property_mappings = [
|
|
data.authentik_scope_mapping.scope-email.id,
|
|
data.authentik_scope_mapping.scope-profile.id,
|
|
data.authentik_scope_mapping.scope-openid.id,
|
|
]
|
|
}
|
|
|
|
resource "authentik_application" "argocd" {
|
|
name = "ArgoCD"
|
|
slug = "argocd"
|
|
protocol_provider = authentik_provider_oauth2.argocd.id
|
|
}
|
|
|
|
resource "authentik_group" "argocd_admins" {
|
|
name = "ArgoCD Admins"
|
|
}
|
|
|
|
|
|
resource "authentik_group" "argocd_viewers" {
|
|
name = "ArgoCD Viewers"
|
|
}
|
|
```
|
|
|
|
## ArgoCD Configuration
|
|
|
|
:::note
|
|
We're not going to use the oidc config, but instead the "dex", oidc doesn't allow ArgoCD CLI usage while DEX does.
|
|
:::
|
|
|
|
### Step 1 - Add the OIDC Secret to ArgoCD
|
|
|
|
In the `argocd-secret` Secret, add the following value to the `data` field:
|
|
|
|
```yaml
|
|
dex.authentik.clientSecret: <base 64 encoded value of the Client Secret from the Provider above>
|
|
```
|
|
|
|
If using Helm, the above can be added to `configs.secret.extra` in your ArgoCD Helm `values.yaml` file as shown below, securely substituting the string however you see fit:
|
|
|
|
```yaml
|
|
configs:
|
|
secret:
|
|
extra:
|
|
dex.authentik.clientSecret: "${argocd_authentik_client_secret}"
|
|
```
|
|
|
|
### Step 2 - Configure ArgoCD to use authentik as OIDC backend
|
|
|
|
In the `argocd-cm` ConfigMap, add the following to the data field :
|
|
|
|
```yaml
|
|
url: https://argocd.company
|
|
dex.config: |
|
|
connectors:
|
|
- config:
|
|
issuer: https://authentik.company/application/o/<application slug defined in step 2>/
|
|
clientID: <client ID from the Provider above>
|
|
clientSecret: $dex.authentik.clientSecret
|
|
insecureEnableGroups: true
|
|
scopes:
|
|
- openid
|
|
- profile
|
|
- email
|
|
name: authentik
|
|
type: oidc
|
|
id: authentik
|
|
```
|
|
|
|
### Step 3 - Map the `ArgoCD Admins` group to ArgoCD's admin role
|
|
|
|
In the `argocd-rbac-cm` ConfigMap, add the following to the data field (or create it if it's not already there) :
|
|
|
|
```yaml
|
|
policy.csv: |
|
|
g, ArgoCD Admins, role:admin
|
|
g, ArgoCD Viewers, role:readonly
|
|
```
|
|
|
|
If you already had an "admin" group and thus didn't create the `ArgoCD Admins` one, just replace `ArgoCD Admins` with your existing group name.
|
|
If you did not opt to create a read-only group, or chose to use one with a different name in authentik, rename or remove here accordingly.
|
|
|
|
Apply all the modified manifests, and you should be able to login to ArgoCD both through the UI and the CLI.
|