trustchain-oc1-orchestral
/
authentik
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/website/integrations/services/argocd/index.md

105 lines
2.9 KiB
Markdown
Raw Blame History

---
title: ArgoCD
---
<span class="badge badge--secondary">Support level: Community</span>
## What is ArgoCD
> Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes.
>
> -- https://argoproj.github.io/cd/
## Preparation
The following placeholders will be used:
- `argocd.company` is the FQDN of the ArgoCD install.
- `authentik.company` is the FQDN of the authentik install.
:::note
Only settings that have been modified from default have been listed.
:::
## authentik Configuration
### Step 1 - Provider creation
In authentik, create an _OAuth2/OpenID Provider_ (under _Applications/Providers_) with these settings:
- Name: ArgoCD
- Client Type: `Confidential`
- Signing Key: Select any available key
- Redirect URIs:
```
http://argocd.company/api/dex/callback
http://localhost:8085/auth/callback
```
After creating the provider, take note of the `Client ID` and `Client Secret`, you'll need to give them to ArgoCD in the _ArgoCD Configuration_ field.
### Step 2 - Application creation
Create a new _Application_ (under _Applications/Applications_) with these settings:
- Name: ArgoCD
- Provider: ArgoCD
- Slug: argocd
- Launch URL: http://argocd.company/auth/login
### Step 3 - ArgoCD Admin Group creation
Create a new _Group_ (under _Directory/Groups_) that'll be used as the admin group for ArgoCD (if you already have an "admin" group, you can skip this part!)
- Name: ArgoCD Admins
- Members: Add your user and/or any user that should be an ArgoCD admin
## ArgoCD Configuration
:::note
We're not going to use the oidc config, but instead the "dex", oidc doesn't allow ArgoCD CLI usage while DEX does.
:::
### Step 1 - Add the OIDC Secret to ArgoCD
In the `argocd-secret` Secret, add the following value to the `data` field:
```yaml
dex.authentik.clientSecret: <base 64 encoded value of the Client Secret from the Provider above>
```
### Step 2 - Configure ArgoCD to use authentik as OIDC backend
In the `argocd-cm` ConfigMap, add the following to the data field :
```yaml
dex.config: |
connectors:
- config:
issuer: http://authentik.company/application/o/<application slug defined in step 2>/
clientID: <client ID from the Provider above>
clientSecret: $dex.authentik.clientSecret
insecureEnableGroups: true
scopes:
- openid
- profile
- email
name: authentik
type: oidc
id: authentik
```
### Step 3 - Map the `ArgoCD Admins` group to ArgoCD's admin role
In the `argocd-rbac-cm` ConfigMap, add the following to the data field (or create it if it's not already there) :
```yaml
policy.csv: |
g, ArgoCD Admins, role:admin
```
If you already had an "admin" group and thus didn't create the `ArgoCD Admins` one, just replace `ArgoCD Admins` with your existing group name.
Apply all the modified manifests, and you should be able to login to ArgoCD both through the UI and the CLI.
Reference in New Issue View Git Blame Copy Permalink