ArgoCD Keycloak Configurationπ£
This document will explain how to configure keycloak with argocd. This assumes you have the sample manifests applied.
Configuration itemsπ£
- Keycloak
- ArgoCD
These are the items you need to do after keycloak and argocd are working on your cluster.
Keycloak Configurationπ£
- Create an argocd client scope with the following mappings
Name | Mapper Type | Mapper Selection Sub | Token Claim Name | Claim JSON Type |
---|---|---|---|---|
profile | User Attribute | profile | profile | String |
User Property | String | |||
nickname | User Attribute | nickname | nickname | String |
full name | Userβs Full Name | full name | N/A | N/A |
groups | Group Membership | groups | groups | N/A |
username | User Property | username | preferred_username | String |
Keycloak client configuration should look like the following:
{
"id": "a752f27c-dc07-46c9-832a-11759b722ab3",
"clientId": "il2_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_argocd",
"name": "IL2 ArgoCD",
"baseUrl": "/applications",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"secret": "**********",
"redirectUris": ["https://argocd.fences.dso.mil/auth/callback"],
"webOrigins": ["https://argocd.fences.dso.mil"],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": false,
"serviceAccountsEnabled": false,
"publicClient": false,
"frontchannelLogout": false,
"protocol": "openid-connect",
"attributes": {
"saml.assertion.signature": "false",
"saml.multivalued.roles": "false",
"saml.force.post.binding": "false",
"saml.encrypt": "false",
"saml.server.signature": "false",
"saml.server.signature.keyinfo.ext": "false",
"exclude.session.state.from.auth.response": "false",
"saml_force_name_id_format": "false",
"saml.client.signature": "false",
"tls.client.certificate.bound.access.tokens": "false",
"saml.authnstatement": "false",
"display.on.consent.screen": "false",
"saml.onetimeuse.condition": "false"
},
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"defaultClientScopes": ["role_list", "ArgoCD"],
"optionalClientScopes": []
}
User Permission:
- Go to Realm
- Click on Users tab on the left pane
- Set βUser Enabledβ to yes and Email Verified to on.
- Go to Credentials tab and set a non-temp password for the newly created user
- Go to Groups tab and select βImpact Level 2 Authorizedβ and click Join up to the right.
Client Configuration
- Go to Configured realm (eg: baby-yoda)
- Click on Clients
- Click on Il2_00eb8904-5b88-4c68-ad67-cec0d2e07aa6_argocd
- Click the Credentials tab
- Press Regenerate Secret and copy it to clipboard
ArgoCD Configurationπ£
Update chart/values.yaml to enable sso and ArgoCD keycloak client secret:
- modify values.yaml. This will apply changes to argo-cm argo-rbac-cm and argo-secret:
# SSO Additions
sso:
enabled: true <--change to true
keycloakClientSecret: <place secret here>
- Apply helm chart:
helm upgrade -i -n argocd --create-namespace argocd chart/
-
Restart ArgoCD to apply changes by executing βkubectl -n argocd delete pod βallβ within bastion or environment.
-
Go to https://argocd.
. select login with keycloak and use the created username and password.
OIDC Custom CAπ£
ArgoCD does not support pointing to a kubernetes secret to trust SSO (OIDC) connections that are not trusted by the container already.
To get around this limitation a kubernetes secret can be mounted to a file at /etc/pki/tls/certs/
which is the current location of the system trust store for the argocd image from IronBank.
Here is an example when using Big Bang to deploy argocd, assuming you are populating a secret named βca-certβ in the same namespace, with a key of cert.pem and value of a single PEM encoded certificate (an easy way to make this secret is included below as well):
addons:
argocd:
values:
server:
volumes:
- name: ca-cert
secret:
secretName: ca-secret
defaultMode: 0644
volumeMounts:
- name: ca-cert
mountPath: /etc/pki/tls/certs
readOnly: true
For secret creation with this example and a pem file at /path/to/cert.pem
:
kubectl create secret generic ca-secret --from-file=cert.pem=/path/to/cert.pem -n argocd