Argo CD does not have any local users other than the built-in admin
user. All other users are
expected to login via SSO. There are two ways that SSO can be configured:
-
Bundled Dex OIDC provider - use this option your current provider does not support OIDC (e.g. SAML, LDAP) or if you wish to leverage any of Dex's connector features (e.g. the ability to map GitHub organizations and teams to OIDC groups claims).
-
Existing OIDC provider - use this if you already have an OIDC provider which you are using (e.g. Okta, OneLogin, Auth0, Microsoft), where you manage your users, groups, and memberships.
Argo CD embeds and bundles Dex as part of its installation, for the
purpose of delegating authentication to an external identity provider. Multiple types of identity
providers are supported (OIDC, SAML, LDAP, GitHub, etc...). SSO configuration of Argo CD requires
editing the argocd-cm
ConfigMap with
Dex connector settings.
This document describes how to configure Argo CD SSO using GitHub (OAuth2) as an example, but the steps should be similar for other identity providers.
In GitHub, register a new application. The callback address should be the /api/dex/callback
endpoint of your Argo CD URL (e.g. https://argocd.example.com/api/dex/callback).
After registering the app, you will receive an OAuth2 client ID and secret. These values will be inputted into the Argo CD configmap.
Edit the argocd-cm configmap:
kubectl edit configmap argocd-cm -n argocd
- In the
url
key, input the base URL of Argo CD. In this example, it is https://argocd.example.com - In the
dex.config
key, add thegithub
connector to theconnectors
sub field. See Dex's GitHub connector documentation for explanation of the fields. A minimal config should populate the clientID, clientSecret generated in Step 1. - You will very likely want to restrict logins to one or more GitHub organization. In the
connectors.config.orgs
list, add one or more GitHub organizations. Any member of the org will then be able to login to Argo CD to perform management tasks.
data:
url: https://argocd.example.com
dex.config: |
connectors:
# GitHub example
- type: github
id: github
name: GitHub
config:
clientID: aabbccddeeff00112233
clientSecret: $dex.github.clientSecret
orgs:
- name: your-github-org
# GitHub enterprise example
- type: github
id: acme-github
name: Acme GitHub
config:
hostName: github.acme.com
clientID: abcdefghijklmnopqrst
clientSecret: $dex.acme.clientSecret
orgs:
- name: your-github-org
After saving, the changes should take affect automatically.
NOTES:
- Any values which start with '$' will look to a key in argocd-secret of the same name (minus the $),
to obtain the actual value. This allows you to store the
clientSecret
as a kubernetes secret. - There is no need to set
redirectURI
in theconnectors.config
as shown in the dex documentation. Argo CD will automatically use the correctredirectURI
for any OAuth2 connectors, to match the correct external callback URL (e.g. https://argocd.example.com/api/dex/callback)
To configure Argo CD to delegate authenticate to your existing OIDC provider, add the OAuth2
configuration to the argocd-cm
ConfigMap under the oidc.config
key:
data:
url: https://argocd.example.com
oidc.config: |
name: Okta
issuer: https://dev-123456.oktapreview.com
clientID: aaaabbbbccccddddeee
clientSecret: $oidc.okta.clientSecret