This repository aims to give detailed instructions on how to configure SSO for OpenShift GitOps (ArgoCD) using KeyCloak Operator and Yaml files configuration
Yaml File examples exist under OpenShift Folder.
To integrate ArgoCD Instance with OpenShift Oauth Login, we need to have some sort of a connector in between as ArgoCD supports only native OIDC connections. DEX Server has this connector implemented out of the box but not yet supported by Red Hat (Not even installed when you create an ArgoCD Instance using OpenShift-Gitops Operator). The second option is to install a Red Hat SSO Server with KeyCloak to handle integration with OpenShift Oauth. In both solutions, once we have installed the DEX Server or the RHSSO, we have an easy way to integrate it with Oauth using either an OauthClient or a service account as an OAuth client. Documentation here :
Configuring SSO for Argo CD on OpenShift - GitOps | CI/CD | OpenShift Container Platform 4.7
In this repository, you will find instructions and examples on how to configure SSO for ArgoCD on OpenShift with KeyCloak Operator and only with Yaml files without accessing KeyCloak GUI using KeyCloakRealm and KeyCloakClient Custom Resources.
- Install KeyCloak Operator in a namespace including CRDs, keycloak-operator deployment, role, rolebinding and service account. Check here Install KeyCloak Operator
In your KeyCloak Namespace; create a KeyCloak Instance using the following yaml :
apiVersion: keycloak.org/v1alpha1
kind: Keycloak
metadata:
name: example-sso # Your KeyCloak Instance Name
labels:
app: sso
spec:
instances: 1
externalAccess:
enabled: True
- Wait for KeyCloak Instance to be created (not critical and if needed you can check that the keycloak instance using the following command:
$ oc get keycloak <instance> -n <namespace> -o jsonpath='{.status.ready}'
- Create a KeyCloakRealm and KeyCloakClient Broker using following Yamls : (Note: Realm should be created before the client)
apiVersion: keycloak.org/v1alpha1
kind: KeycloakRealm
metadata:
labels:
app: idp # Your Label Selector
name: idp-test # Name For you Realm
namespace: idp-keycloak # Where you installed your keycloak Operator
spec:
instanceSelector:
matchLabels:
app: idp
realm:
displayName: IDP Realm
enabled: true
id: idp-test
identityProviders:
- addReadTokenRoleOnCreate: true
alias: openshift-v4 # Do Not Change tjos
config:
baseUrl: https://api.example.com:6443 # OpenShift API URL
clientId: idp-broker # Client ID
clientSecret: secret # CLient Secret
displayName: login with ocp4 # Display Name
enabled: true
internalId: idp-broker
providerId: openshift-v4
realm: idp-test # Your Realm Name
- Specify here the same clientID and SecretID
apiVersion: keycloak.org/v1alpha1
kind: KeycloakClient
metadata:
labels:
app: idp # App Label for Realm Selector
name: example-client # Name of Your KeyCloakClient
namespace: idp-keycloak # Where you installed your keycloak Operator
spec:
client:
baseUrl: /applications #Base URL for ArgoCD
clientId: idp-broker #Define your Client ID
defaultClientScopes: # Default Scopes
- openid
- profile
- email
directAccessGrantsEnabled: false
implicitFlowEnabled: false
protocol: openid-connect
publicClient: false
rootUrl: https://argocd-server-customer-gitops.example.com # URL to your ArgoCD
secret: secret # Your Client Secret
standardFlowEnabled: true
realmSelector:
matchLabels:
app: idp # Same App Label for Realm Selector
scopeMappings: {}
- Configure ArgoCD Secret and CR using following Yamls :
$ oc edit secret <argocd-name>-secret -n <customer-namespace>
apiVersion: v1
data:
oidc.keycloak.clientSecret: c2VjcmV0 ## Add this line to the existing argocd-secret with your client secret encrypted in Base64
kind: Secret
metadata:
labels:
app.kubernetes.io/managed-by: argocd
app.kubernetes.io/name: argocd-secret
app.kubernetes.io/part-of: argocd
name: argocd-secret
namespace: customer-gitops
type: Opaque
$ oc edit argocd -n <customer-namespace>
apiVersion: argoproj.io/v1alpha1
kind: ArgoCD
metadata:
name: argocd
namespace: customer-gitops
spec:
grafana:
enabled: false
ingress:
enabled: false
route:
enabled: false
# Configure here your OIDC Config from your REALM
## name: Display
## issuer: URL for your REALM
## clientID: Your Client ID
## clientSecret: Your client Secret stored in an OpenShift Secret: see argocd-yaml example
## RequestedScopres: Replace with Your Scopes
oidcConfig: "name: OpenShift Single Sign-On
issuer: https://keycloak-idp-keycloak.example.com/auth/realms/idp-test
clientID: idp-broker
clientSecret: $oidc.keycloak.clientSecret
requestedScopes: [\"openid\", \"profile\", \"email\"]"
prometheus:
enabled: false
ingress:
enabled: false
route:
enabled: false
server:
autoscale:
enabled: false
grpc:
ingress:
enabled: false
ingress:
enabled: false
route:
enabled: true
- Finally add the OauthClient :
apiVersion: oauth.openshift.io/v1
grantMethod: prompt
kind: OAuthClient
metadata:
name: idp-broker # Name of your oauthclient
redirectURIs:
- https://keycloak-idp-keycloak.example.com/auth/realms/idp-test/broker/openshift-v4/endpoint # Replace idp-test by your Realm Name
secret: secret # Client Secret
Anyone interested in contributing and maintaining Yaml Files and the documentation, feel free to fork the project, create your branch and create a pull-request.