github.com/argoproj/argo-cd/v2@v2.10.9/docs/operator-manual/user-management/zitadel.md (about) 1 # Zitadel 2 Please also consult the [Zitadel Documentation](https://zitadel.com/docs). 3 ## Integrating Zitadel and ArgoCD 4 These instructions will take you through the entire process of getting your ArgoCD application authenticating and authorizing with Zitadel. You will create an application within Zitadel and configure ArgoCD to use Zitadel for authentication using roles set in Zitadel to determine privileges in ArgoCD. 5 6 The following steps are required to integrate ArgoCD with Zitadel: 7 1. Create a new project and a new application in Zitadel 8 2. Configure the application in Zitadel 9 3. Set up roles in Zitadel 10 4. Set up an action in Zitadel 11 5. Configure ArgoCD configmaps 12 6. Test the setup 13 14 The following values will be used in this example: 15 - Zitadel FQDN: `auth.example.com` 16 - Zitadel Project: `argocd-project` 17 - Zitadel Application: `argocd-application` 18 - Zitadel Action: `groupsClaim` 19 - ArgoCD FQDN: `argocd.example.com` 20 - ArgoCD Administrator Role: `argocd_administrators` 21 - ArgoCD User Role: `argocd_users` 22 23 You may choose different values in your setup; these are used to keep the guide consistent. 24 25 ## Setting up your project and application in Zitadel 26 First, we will create a new project within Zitadel. Go to **Projects** and select **Create New Project**. 27 You should now see the following screen. 28 29  30 31 Check the following options: 32 - Assert Roles on Authentication 33 - Check authorization on Authentication 34 35  36 37 ### Roles 38 39 Go to **Roles** and click **New**. Create the following two roles. Use the specified values below for both fields **Key** and **Group**. 40 - `argocd_administrators` 41 - `argocd_users` 42 43 Your roles should now look like this: 44 45  46 47 ### Authorizations 48 49 Next, go to **Authorizations** and assign your user the role `argocd_administrators`. 50 Click **New**, enter the name of your user and click **Continue**. Select the role `argocd_administrators` and click **Save**. 51 52 Your authorizations should now look like this: 53 54  55 56 ### Creating an application 57 58 Go to **General** and create a new application. Name the application `argocd-application`. 59 60 For type of the application, select **WEB** and click continue. 61 62  63 64 Select **CODE** and continue. 65 66  67 68 Next, we will set up the redirect and post-logout URIs. Set the following values: 69 - Redirect URI: `https://argocd.example.com/auth/callback` 70 - Post Logout URI: `https://argocd.example.com` 71 72 The post logout URI is optional. In the example setup users will be taken back to the ArgoCD login page after logging out. 73 74  75 76 Verify your configuration on the next screen and click **Create** to create the application. 77 78  79 80 After clicking **Create** you will be shown the `ClientId` and the `ClientSecret` for your application. Make sure to copy the ClientSecret as you will not be able to retrieve it after closing this window. 81 For our example, the following values are used: 82 - ClientId: `227060711795262483@argocd-project` 83 - ClientSecret: `UGvTjXVFAQ8EkMv2x4GbPcrEwrJGWZ0sR2KbwHRNfYxeLsDurCiVEpa5bkgW0pl0` 84 85  86 87 Once you have saved the ClientSecret in a safe place, click **Close** to complete creating the application. 88 89 Go to **Token Settings** and enable the following options: 90 - User roles inside ID Token 91 - User Info inside ID Token 92 93  94 95 ## Setting up an action in Zitadel 96 97 To include the role of the user in the token issued by Zitadel, we will need to set up a Zitadel Action. The authorization in ArgoCD will be determined by the role contained within the auth token. 98 Go to **Actions**, click **New** and choose `groupsClaim` as the name of your action. 99 100 Paste the following code into the action: 101 102 ```javascript 103 /** 104 * sets the roles an additional claim in the token with roles as value an project as key 105 * 106 * The role claims of the token look like the following: 107 * 108 * // added by the code below 109 * "groups": ["{roleName}", "{roleName}", ...], 110 * 111 * Flow: Complement token, Triggers: Pre Userinfo creation, Pre access token creation 112 * 113 * @param ctx 114 * @param api 115 */ 116 function groupsClaim(ctx, api) { 117 if (ctx.v1.user.grants === undefined || ctx.v1.user.grants.count == 0) { 118 return; 119 } 120 121 let grants = []; 122 ctx.v1.user.grants.grants.forEach((claim) => { 123 claim.roles.forEach((role) => { 124 grants.push(role); 125 }); 126 }); 127 128 api.v1.claims.setClaim("groups", grants); 129 } 130 ``` 131 132 Check **Allowed To Fail** and click **Add** to add your action. 133 134 *Note: If **Allowed To Fail** is not checked and a user does not have a role assigned, it may be possible that the user is no longer able to log in to Zitadel as the login flow fails when the action fails.* 135 136 Next, add your action to the **Complement Token** flow. Select the **Complement Token** flow from the dropdown and click **Add trigger**. 137 Add your action to both triggers **Pre Userinfo creation** and **Pre access token creation**. 138 139 Your Actions page should now look like the following screenshot: 140 141  142 143 144 ## Configuring the ArgoCD configmaps 145 146 Next, we will configure two ArgoCD configmaps: 147 - [argocd-cm.yaml](https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cm.yaml) 148 - [argocd-rbac-cm.yaml](https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-rbac-cm.yaml) 149 150 Configure your configmaps as follows while making sure to replace the relevant values such as `url`, `issuer`, `clientID`, `clientSecret` and `logoutURL` with ones matching your setup. 151 152 ### argocd-cm.yaml 153 ```yaml 154 --- 155 apiVersion: v1 156 kind: ConfigMap 157 metadata: 158 name: argocd-cm 159 namespace: argocd 160 labels: 161 app.kubernetes.io/part-of: argocd 162 data: 163 admin.enabled: "false" 164 url: https://argocd.example.com 165 oidc.config: | 166 name: Zitadel 167 issuer: https://auth.example.com 168 clientID: 227060711795262483@argocd-project 169 clientSecret: UGvTjXVFAQ8EkMv2x4GbPcrEwrJGWZ0sR2KbwHRNfYxeLsDurCiVEpa5bkgW0pl0 170 requestedScopes: 171 - openid 172 - profile 173 - email 174 - groups 175 logoutURL: https://auth.example.com/oidc/v1/end_session 176 ``` 177 178 ### argocd-rbac-cm.yaml 179 ```yaml 180 --- 181 apiVersion: v1 182 kind: ConfigMap 183 metadata: 184 name: argocd-rbac-cm 185 namespace: argocd 186 labels: 187 app.kubernetes.io/part-of: argocd 188 data: 189 scopes: '[groups]' 190 policy.csv: | 191 g, argocd_administrators, role:admin 192 g, argocd_users, role:readonly 193 policy.default: '' 194 ``` 195 196 The roles specified under `policy.csv` must match the roles configured in Zitadel. 197 The Zitadel role `argocd_administrators` will be assigned the ArgoCD role `admin` granting admin access to ArgoCD. 198 The Zitadel role `argocd_users` will be assigned the ArgoCD role `readonly` granting read-only access to ArgoCD. 199 200 Deploy your ArgoCD configmaps. ArgoCD and Zitadel should now be set up correctly to allow users to log in to ArgoCD using Zitadel. 201 202 ## Testing the setup 203 204 Go to your ArgoCD instance. You should now see the **LOG IN WITH ZITADEL** button above the usual username/password login. 205 206  207 208 After logging in with your Zitadel user go to **User Info**. If everything is set up correctly you should now see the group `argocd_administrators` as shown below. 209 210 