github.com/argoproj-labs/argocd-operator@v0.10.0/docs/usage/dex.md

github.com/argoproj-labs/argocd-operator@v0.10.0/docs/usage/dex.md (about)

     1  - [Overview](#overview)
     2  - [Installing & Configuring Dex](#installing--configuring-dex)
     3  - [Dex OpenShift OAuth Connector](#dex-openshift-oauth-connector)
     4      - [Role Mappings](#role-mappings)
     5  - [Dex GitHub Connector](#dex-github-connector)
     6  - [Uninstalling Dex](#uninstalling-dex)
     7  
     8  ## Overview
     9  
    10  Dex can be used to delegate authentication to external identity providers like GitHub, SAML and others. SSO configuration of Argo CD requires updating the Argo CD CR with [Dex connector](https://dexidp.io/docs/connectors/) settings.
    11  
    12  ## Installing & Configuring Dex
    13  
    14  Dex configuration has moved to `.spec.sso` in release v0.4.0. Dex can be enabled by setting `.spec.sso.provider` to `dex` in the Argo CD CR.
    15  
    16  !!! note
    17      It is now mandatory to specify `.spec.sso.dex` either with OpenShift configuration through `openShiftOAuth: true` or valid custom configuration supplied through `.spec.sso.dex.config`. Absence of either will result in an error due to failing health checks on Dex.
    18  
    19  !!! note
    20      Specifying `.spec.sso.dex` without setting dex as the provider will result in an error.
    21  
    22  !!! note
    23      `.spec.dex` is no longer supported in Argo CD operator v0.8.0 onwards, use `.spec.sso.dex` instead.
    24  
    25  An example of correctly configured dex would look as follows:
    26  
    27  ```yaml
    28  apiVersion: argoproj.io/v1alpha1
    29  kind: ArgoCD
    30  metadata:
    31    name: example-argocd
    32  spec:
    33    sso:
    34      provider: dex
    35      dex:
    36        openShiftOAuth: true
    37  ```
    38  
    39  ## Dex OpenShift OAuth Connector
    40  
    41  The below section describes how to configure Argo CD SSO using OpenShift connector as an example. Dex makes use of the users and groups defined within OpenShift by querying the platform provided OAuth server.
    42  
    43  The `openShiftOAuth` property can be used to trigger the operator to auto configure the built-in OpenShift OAuth server. The `groups` property is used to mandate users to be part of one or all the groups in the groups list. The RBAC `Policy` property is used to give the admin role in the Argo CD cluster to users in the OpenShift `cluster-admins` group.
    44  
    45  ``` yaml
    46  apiVersion: argoproj.io/v1alpha1
    47  kind: ArgoCD
    48  metadata:
    49    name: example-argocd
    50    labels:
    51      example: openshift-oauth
    52  spec:
    53    sso:
    54      provider: dex
    55      dex:
    56        openShiftOAuth: true
    57        groups:
    58        - default
    59    rbac:
    60      defaultPolicy: 'role:readonly'
    61      policy: |
    62        g, cluster-admins, role:admin
    63      scopes: '[groups]'
    64  ```
    65  
    66  #### Role Mappings
    67  
    68  To have a specific user be properly atrributed with the `role:admin` upon SSO through Openshift, the user needs to be in a **group** with the `cluster-admin` role added. If the user only has a direct `ClusterRoleBinding` to the Openshift role for `cluster-admin`, the Argo CD role will not map.
    69  
    70  A quick fix will be to create a group named `cluster-admins` group, add the user to the group and then apply the `cluster-admin` ClusterRole to the group.
    71  
    72  ```txt
    73  oc adm groups new cluster-admins
    74  oc adm groups add-users cluster-admins USER
    75  oc adm policy add-cluster-role-to-group cluster-admin cluster-admins
    76  ```
    77  
    78  ## Dex GitHub Connector
    79  
    80  The below section describes how to configure Argo CD SSO using GitHub (OAuth2) as an example, but the steps should be similar for other identity providers.
    81  
    82  1. Register the application in the identity provider as explained [here](https://argoproj.github.io/argo-cd/operator-manual/user-management/#1-register-the-application-in-the-identity-provider).
    83  
    84  2. Update the Argo CD CR.
    85  
    86  In the `sso.dex.config` key, add the github connector to the connectors sub field. See the Dex [GitHub connector documentation](https://github.com/dexidp/website/blob/main/content/docs/connectors/github.md) for explanation of the fields. A minimal config should populate the clientID, clientSecret generated in Step 1.
    87  You will very likely want to restrict logins to one or more GitHub organization. In the
    88  `connectors.config.orgs` list, add one or more GitHub organizations. Any member of the org will then be able to login to Argo CD to perform management tasks.
    89  
    90  ``` yaml
    91  apiVersion: argoproj.io/v1alpha1
    92  kind: ArgoCD
    93  metadata:
    94    name: example-argocd
    95    labels:
    96      example: openshift-oauth
    97  spec:
    98    sso:
    99      provider: dex
   100      dex:
   101        config: |
   102          connectors:
   103            # GitHub example
   104            - type: github
   105              id: github
   106              name: GitHub
   107              config:
   108                clientID: xxxxxxxxxxxxxx
   109                clientSecret: $dex.github.clientSecret # Alternatively $<some_K8S_secret>:dex.github.clientSecret
   110                orgs:
   111                - name: dummy-org
   112  ```
   113  
   114  ## Use ArgoCD's Dex for Argo Workflows authentication
   115  
   116  The below section describes how to configure Argo CD's Dex to accept authentication requests from Argo Workflows.
   117  
   118  1. Register the application in the identity provider as explained [here](https://argoproj.github.io/argo-cd/operator-manual/user-management/#1-register-the-application-in-the-identity-provider).
   119  
   120  2. Update the Argo CD CR.
   121  
   122  In the `sso.dex.env` key, add the environment variable as shown in the [example manifests for authenticating against Argo CD's Dex](https://argoproj.github.io/argo-workflows/argo-server-sso-argocd/#example-manifests-for-authenticating-against-argo-cds-dex-kustomize).
   123  
   124  ``` yaml
   125  apiVersion: argoproj.io/v1alpha1
   126  kind: ArgoCD
   127  metadata:
   128    name: example-argocd
   129  spec:
   130    sso:
   131      provider: dex
   132      dex:
   133        config: |
   134          connectors:
   135            # GitHub example
   136            - type: github
   137              id: github
   138              name: GitHub
   139              config:
   140                clientID: xxxxxxxxxxxxxx
   141                clientSecret: $dex.github.clientSecret # Alternatively $<some_K8S_secret>:dex.github.clientSecret
   142                orgs:
   143                - name: dummy-org
   144        env:
   145          - name: ARGO_WORKFLOWS_SSO_CLIENT_SECRET
   146            valueFrom:
   147              secretKeyRef:
   148                name: argo-workflows-sso
   149                key: client-secret
   150  ```
   151  
   152  ## Uninstalling Dex
   153  
   154  !!! note
   155      `DISABLE_DEX` environment variable is no longer supported in Argo CD operator v0.8.0 onwards.
   156  
   157  Dex can be uninstalled either by removing `.spec.sso` from the Argo CD CR, or switching to a different SSO provider.