Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 2. Configuring SSO for Argo CD using Dex

After the Red Hat OpenShift GitOps Operator is installed, Argo CD automatically creates a user with admin permissions. To manage multiple users, cluster administrators can use Argo CD to configure Single Sign-On (SSO).

Important

The spec.dex parameter in the ArgoCD CR is deprecated. In a future release of Red Hat OpenShift GitOps v1.10.0, configuring Dex using the spec.dex parameter in the ArgoCD CR is planned to be removed. Consider using the .spec.sso parameter instead.

2.1. Configuration to enable the Dex OpenShift OAuth Connector

Dex is installed by default for all the Argo CD instances created by the Operator. Dex uses the users and groups defined within OpenShift by checking the OAuth server provided by the platform. You can configure the options for the Dex SSO provider. The following example shows the properties of Dex along with example configurations: 

apiVersion: argoproj.io/v1alpha1
kind: ArgoCD
metadata:
  name: example-argocd
  labels:
    example: openshift-oauth
spec:
  dex:
    openShiftOAuth: true 1
    groups:2
     - default
  rbac:3
    defaultPolicy: 'role:readonly'
    policy: |
      g, cluster-admins, role:admin
    scopes: '[groups]'
1
The openShiftOAuth property triggers the Operator to automatically configure the built-in OpenShift OAuth server when the value is set to true.
2
The groups property allows users of the specified group(s) to log in.
3
The RBAC policy property assigns the admin role in the Argo CD cluster to users in the OpenShift cluster-admins group.

2.1.1. Mapping users to specific roles

Argo CD cannot map users to specific roles if they have a direct ClusterRoleBinding role. You can manually change the role as role:admin on SSO through OpenShift.

Procedure

  1. Create a group named cluster-admins. 

    $ oc adm groups new cluster-admins

  2. Add the user to the group. 

    $ oc adm groups add-users cluster-admins USER

  3. Apply the cluster-admin ClusterRole to the group: 

    $ oc adm policy add-cluster-role-to-group cluster-admin cluster-admins

2.2. Disabling Dex

Dex is installed by default for all the Argo CD instances created by the Operator. You can configure Red Hat OpenShift GitOps to use Dex as the SSO authentication provider by setting the .spec.dex parameter.

Important

In Red Hat OpenShift GitOps v1.6.0, DISABLE_DEX is deprecated and is planned to be removed in Red Hat OpenShift GitOps v1.10.0. Consider using the .spec.sso.dex parameter instead. See "Enabling or disabling Dex using .spec.sso".

Procedure

  • Set the environmental variable DISABLE_DEX to true in the YAML resource of the Operator: 

    ...
spec:
  config:
    env:
    - name: DISABLE_DEX
      value: "true"
...

2.3. Enabling or disabling Dex using .spec.sso

You can configure Red Hat OpenShift GitOps to use Dex as its SSO authentication provider by setting the .spec.sso parameter.

Procedure

  1. To enable Dex, set the .spec.sso.provider: dex parameter in the YAML resource of the Operator: 

    ...
spec:
  sso:
    provider: dex
    dex:
      openShiftOAuth: true
...
  2. To disable dex, either remove the spec.sso element from the Argo CD custom resource, or specify a different SSO provider.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.