github.com/argoproj-labs/argocd-operator@v0.10.0/docs/usage/keycloak/openshift.md (about) 1 # Usage 2 3 This document describes the usage of Keycloak as a Single sign-on provider for ArgoCD in OpenShift Container Platform. Keycloak acts as an Identity broker between ArgoCD and OpenShift, Which means one can also login into Argo CD using their OpenShift credentials. 4 5 The following example shows the most minimal valid manifest to create a new Argo CD cluster with keycloak as a Single sign-on provider. 6 7 ```yaml 8 apiVersion: argoproj.io/v1alpha1 9 kind: ArgoCD 10 metadata: 11 name: example-argocd 12 labels: 13 example: basic 14 spec: 15 sso: 16 provider: keycloak 17 server: 18 route: 19 enabled: true 20 ``` 21 22 If your keycloak is setup with a certificate which is not signed by one of the well known certificate authorities you can provide a custom certificate which will be used in verifying the Keycloak's TLS certificate when communicating with it. 23 Add the rootCA to your Argo CD custom resource `.spec.sso.keycloak.rootCA` field. The operator reconciles to this change and updates the `oidc.config` in `argocd-cm` configmap with the PEM encoded root certificate. 24 25 !!! note 26 Argo CD server pod should be restarted after updating the `.spec.sso.keycloak.rootCA`. 27 28 Please refer to the below example: 29 30 ```yaml 31 apiVersion: argoproj.io/v1alpha1 32 kind: ArgoCD 33 metadata: 34 name: example-argocd 35 labels: 36 example: basic 37 spec: 38 sso: 39 provider: keycloak 40 keycloak: 41 rootCA: | 42 ---- BEGIN CERTIFICATE ---- 43 This is a dummy certificate 44 Please place this section with appropriate rootCA 45 ---- END CERTIFICATE ---- 46 server: 47 route: 48 enabled: true 49 ``` 50 51 !!! note 52 `.spec.sso.Image`, `.spec.sso.Version`, `.spec.sso.Resources` and `.spec.sso.verifyTLS` fields are no longer supported in Argo CD operator v0.8.0 onwards. Please use equivalent fields under `.spec.sso.keycloak` to configure your keycloak instance. 53 54 ## Create 55 56 Create a new Argo CD Instance in the `argocd` namespace using the provided example. 57 58 ```bash 59 kubectl create -n argocd -f examples/argocd-keycloak.yaml 60 ``` 61 62 ## Keycloak-Instance 63 64 The above configuration creates a keycloak instance and its relevant resources along with the Argo CD resources. Users can login into the keycloak console using the below commands. 65 66 Get the Keycloak Route URL for Login. 67 68 ```bash 69 kubectl -n argocd get route keycloak 70 ``` 71 72 ```bash 73 NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD 74 keycloak keycloak-default.apps.ci-ln-******.origin-ci-int-aws.dev.**.com keycloak <all> reencrypt None 75 ``` 76 77 Get the Keycloak Credentials which are stored as environment variables in the keycloak pod. 78 79 Get the Keycloak Pod name. 80 81 ```bash 82 kubectl -n argocd get pods 83 ``` 84 85 ```bash 86 NAME READY STATUS RESTARTS AGE 87 keycloak-1-2sjcl 1/1 Running 0 45m 88 ``` 89 90 Get the Keycloak Username. 91 92 ```bash 93 kubectl -n argocd exec keycloak-1-2sjcl -- "env" | grep SSO_ADMIN_USERNAME 94 ``` 95 96 ```bash 97 SSO_ADMIN_USERNAME=Cqid54Ih 98 ``` 99 100 Get the Keycloak Password. 101 102 ```bash 103 kubectl -n argocd exec keycloak-1-2sjcl -- "env" | grep SSO_ADMIN_PASSWORD 104 ``` 105 106 ```bash 107 SSO_ADMIN_PASSWORD=GVXxHifH 108 ``` 109 110 ## Login 111 112 You can see an option to Log in via keycloak apart from the usual ArgoCD login. 113 114  115 116 Click on **LOGIN VIA KEYCLOAK**. You will see two different options for login as shown below. The one on the left will allow you to login into argo cd via keycloak username and password. The one on the right will allow you to login into argo cd using your openshift username and password. 117 118  119 120 You can create keycloak users by logging in to keycloak admin console using the Keycloak admin credentials. 121 122 !!! note 123 Keycloak instance takes 2-3 minutes to be up and running. You will see the option **LOGIN VIA KEYCLOAK** only after the keycloak instance is up. 124 125 ## RBAC 126 127 By default any user logged into ArgoCD will have read-only access. User level access can be managed by updating the `argocd-rbac-cm` configmap. 128 129 ### Group Level RBAC 130 131 The below example shows how to grant admin access to a group with name `cluster-admins`. More information regarding ArgoCD RBAC can be found [here](https://argoproj.github.io/argo-cd/operator-manual/rbac/) 132 133 ```yaml 134 policy.csv: | 135 g, cluster-admins, role:admin 136 ``` 137 138 ### User Level RBAC 139 140 If you wish to configure RBAC for users instead of groups, consider the below example. 141 Example shows how to grant admin access to User foobar with email ID `foobar@example.com`. More information regarding ArgoCD RBAC can be found [here](https://argoproj.github.io/argo-cd/operator-manual/rbac/) 142 143 ```yaml 144 policy.csv: | 145 g, foobar@example.com, role:admin 146 ``` 147 148 ## Change Keycloak Admin Password 149 150 You can change the Keycloak Admin Password that is created by the operator as shown below. 151 152 Login to the Keycloak Admin Console using the Admin user as described in the above section. Click on the user drop-down at the top right and click on the `Manage Account`. 153 154  155 156 Click on the `Password` tab to update the Keycloak Admin Password. 157 158  159 160 ## Uninstall 161 162 You can delete the Keycloak resources and its relevant configuration by removing the SSO field from ArgoCD Custom Resource Spec. 163 164 Example ArgoCD after removing the SSO field should look something like this. 165 166 ```yaml 167 apiVersion: argoproj.io/v1alpha1 168 kind: ArgoCD 169 metadata: 170 name: example-argocd 171 labels: 172 example: basic 173 spec: 174 server: 175 route: 176 enabled: true 177 ``` 178 179 Note: Keycloak application created by this feature is currently not persistent. Incase of restarts, Any additional configuration created by the users in ArgoCD Keycloak realm will be deleted.