Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Access control and user management

Red Hat OpenShift GitOps 1.9

Configuring user authentication and access controls for users and namespaces

Red Hat OpenShift Documentation Team

Abstract

This document provides instructions for changing and managing user level access and resource requests. It also discusses how to configure role-based access control and single sign-on authentication providers to manage multiple users, permissions, Argo CD resources, and instances in the cluster.

Chapter 1. Configuring Argo CD RBAC
Copy link

By default, if you are logged into Argo CD using Red Hat SSO (RH SSO), you are a read-only user. You can change and manage the user level access.

1.1. Configuring user level access
Copy link

To manage and modify the user level access, configure the role-based access control (RBAC) section in the Argo CD custom resource (CR).

Procedure

  1. Edit the argocd CR: 

    $ oc edit argocd [argocd-instance-name] -n [namespace]
    Copy to Clipboard Toggle word wrap

    Output

    metadata
...
...
  rbac:
    policy: 'g, rbacsystem:cluster-admins, role:admin'
    scopes: '[groups]'
    Copy to Clipboard Toggle word wrap

  2. Add the policy configuration to the rbac section and add the name, email and the role of the user: 

    metadata
...
...
rbac:
    policy: <name>, <email>, role:<admin>
    scopes: '[groups]'
    Copy to Clipboard Toggle word wrap
Note

Currently, RHSSO cannot read the group information of Red Hat OpenShift GitOps users. Therefore, configure the RBAC at the user level.

1.2. Modifying RHSSO resource requests/limits
Copy link

By default, the RHSSO container is created with resource requests and limitations. You can change and manage the resource requests.

Expand
ResourceRequestsLimits

CPU

500

1000m

Memory

512 Mi

1024 Mi

Procedure

  • Modify the default resource requirements patching the Argo CD custom resource (CR): 
$ oc -n openshift-gitops patch argocd openshift-gitops --type='json' -p='[{"op": "add", "path": "/spec/sso", "value": {"provider": "keycloak", "resources": {"requests": {"cpu": "512m", "memory": "512Mi"}, "limits": {"cpu": "1024m", "memory": "1024Mi"}} }}]'
Copy to Clipboard Toggle word wrap
Note

RHSSO created by the Red Hat OpenShift GitOps only persists the changes that are made by the operator. If the RHSSO restarts, any additional configuration created by the Admin in RHSSO is deleted.

Chapter 2. Configuring SSO for Argo CD using Dex
Copy link

After the Red Hat OpenShift GitOps Operator is installed, Argo CD automatically creates a user with admin permissions. To manage multiple users, cluster administrators can use Argo CD to configure Single Sign-On (SSO).

Important

The spec.dex parameter in the ArgoCD CR is deprecated. In a future release of Red Hat OpenShift GitOps v1.10.0, configuring Dex using the spec.dex parameter in the ArgoCD CR is planned to be removed. Consider using the .spec.sso parameter instead.

Dex is installed by default for all the Argo CD instances created by the Operator. Dex uses the users and groups defined within OpenShift by checking the OAuth server provided by the platform. You can configure the options for the Dex SSO provider. The following example shows the properties of Dex along with example configurations: 

apiVersion: argoproj.io/v1alpha1
kind: ArgoCD
metadata:
  name: example-argocd
  labels:
    example: openshift-oauth
spec:
  dex:
    openShiftOAuth: true
1 

    groups:
2 

     - default
  rbac:
3 

    defaultPolicy: 'role:readonly'
    policy: |
      g, cluster-admins, role:admin
    scopes: '[groups]'
Copy to Clipboard Toggle word wrap
1
The openShiftOAuth property triggers the Operator to automatically configure the built-in OpenShift OAuth server when the value is set to true.
2
The groups property allows users of the specified group(s) to log in.
3
The RBAC policy property assigns the admin role in the Argo CD cluster to users in the OpenShift cluster-admins group.

2.1.1. Mapping users to specific roles
Copy link

Argo CD cannot map users to specific roles if they have a direct ClusterRoleBinding role. You can manually change the role as role:admin on SSO through OpenShift.

Procedure

  1. Create a group named cluster-admins. 

    $ oc adm groups new cluster-admins
    Copy to Clipboard Toggle word wrap

  2. Add the user to the group. 

    $ oc adm groups add-users cluster-admins USER
    Copy to Clipboard Toggle word wrap

  3. Apply the cluster-admin ClusterRole to the group: 

    $ oc adm policy add-cluster-role-to-group cluster-admin cluster-admins
    Copy to Clipboard Toggle word wrap

2.2. Disabling Dex
Copy link

Dex is installed by default for all the Argo CD instances created by the Operator. You can configure Red Hat OpenShift GitOps to use Dex as the SSO authentication provider by setting the .spec.dex parameter.

Important

In Red Hat OpenShift GitOps v1.6.0, DISABLE_DEX is deprecated and is planned to be removed in Red Hat OpenShift GitOps v1.10.0. Consider using the .spec.sso.dex parameter instead. See "Enabling or disabling Dex using .spec.sso".

Procedure

  • Set the environmental variable DISABLE_DEX to true in the YAML resource of the Operator: 

    ...
spec:
  config:
    env:
    - name: DISABLE_DEX
      value: "true"
...
    Copy to Clipboard Toggle word wrap

2.3. Enabling or disabling Dex using .spec.sso
Copy link

You can configure Red Hat OpenShift GitOps to use Dex as its SSO authentication provider by setting the .spec.sso parameter.

Procedure

  1. To enable Dex, set the .spec.sso.provider: dex parameter in the YAML resource of the Operator: 

    ...
spec:
  sso:
    provider: dex
    dex:
      openShiftOAuth: true
...
    Copy to Clipboard Toggle word wrap
  2. To disable dex, either remove the spec.sso element from the Argo CD custom resource, or specify a different SSO provider.

After the Red Hat OpenShift GitOps Operator is installed, Argo CD automatically creates a user with admin permissions. To manage multiple users, cluster administrators can use Argo CD to configure Single Sign-On (SSO).

3.1. Prerequisites
Copy link

  • Red Hat SSO is installed on the cluster.
  • Red Hat OpenShift GitOps Operator is installed on the cluster.
  • Argo CD is installed on the cluster.

3.2. Configuring a new client in Keycloak
Copy link

Dex is installed by default for all the Argo CD instances created by the Operator. However, you can delete the Dex configuration and add Keycloak instead to log in to Argo CD using your OpenShift credentials. Keycloak acts as an identity broker between Argo CD and OpenShift.

Procedure

To configure Keycloak, follow these steps:

  1. Delete the Dex configuration by removing the .spec.sso.dex parameter from the Argo CD custom resource (CR), and save the CR: 

    dex:
    openShiftOAuth: true
    resources:
      limits:
        cpu:
        memory:
      requests:
        cpu:
        memory:
    Copy to Clipboard Toggle word wrap
  2. Set the value of the provider parameter to keycloak in the Argo CD CR.

  3. Configure Keycloak by performing one of the following steps:

    • For a secure connection, set the value of the rootCA parameter as shown in the following example: 

      apiVersion: argoproj.io/v1alpha1
kind: ArgoCD
metadata:
  name: example-argocd
  labels:
    example: basic
spec:
  sso:
    provider: keycloak
    keycloak:
      rootCA: "<PEM-encoded-root-certificate>"
      1 
      
  server:
    route:
      enabled: true
      Copy to Clipboard Toggle word wrap
      1
      A custom certificate used to verify the Keycloak’s TLS certificate.

      The Operator reconciles changes in the .spec.keycloak.rootCA parameter and updates the oidc.config parameter with the PEM encoded root certificate in the argocd-cm configuration map.

    • For an insecure connection, leave the value of the rootCA parameter empty and use the oidc.tls.insecure.skip.verify parameter as shown below: 

      apiVersion: argoproj.io/v1alpha1
kind: ArgoCD
metadata:
  name: example-argocd
  labels:
    example: basic
spec:
  extraConfig:
    oidc.tls.insecure.skip.verify: "true"
  sso:
    provider: keycloak
    keycloak:
      rootCA: ""
      Copy to Clipboard Toggle word wrap
Note

The Keycloak instance takes 2-3 minutes to install and run.

3.3. Logging in to Keycloak
Copy link

Log in to the Keycloak console to manage identities or roles and define the permissions assigned to the various roles.

Prerequisites

  • The default configuration of Dex is removed.
  • Your Argo CD CR must be configured to use the Keycloak SSO provider.

Procedure

  1. Get the Keycloak route URL for login: 

    $ oc -n argocd get route keycloak

NAME        HOST/PORT                                                        PATH   SERVICES   PORT    TERMINATION   WILDCARD
keycloak    keycloak-default.apps.ci-ln-******.origin-ci-int-aws.dev.**.com         keycloak   <all>    reencrypt     None
    Copy to Clipboard Toggle word wrap

  2. Get the Keycloak pod name that stores the user name and password as environment variables: 

    $ oc -n argocd get pods

NAME                      READY   STATUS           RESTARTS   AGE
keycloak-1-2sjcl           1/1    Running            0        45m
    Copy to Clipboard Toggle word wrap

    1. Get the Keycloak user name: 

      $ oc -n argocd exec keycloak-1-2sjcl -- "env" | grep SSO_ADMIN_USERNAME

SSO_ADMIN_USERNAME=Cqid54Ih
      Copy to Clipboard Toggle word wrap

    2. Get the Keycloak password: 

      $ oc -n argocd exec keycloak-1-2sjcl -- "env" | grep SSO_ADMIN_PASSWORD

SSO_ADMIN_PASSWORD=GVXxHifH
      Copy to Clipboard Toggle word wrap

  3. On the login page, click LOG IN VIA KEYCLOAK.

    Note

    You only see the option LOGIN VIA KEYCLOAK after the Keycloak instance is ready.

  4. Click Login with OpenShift.

    Note

    Login using kubeadmin is not supported.

  5. Enter the OpenShift credentials to log in.

  6. Optional: By default, any user logged in to Argo CD has read-only access. You can manage the user level access by updating the argocd-rbac-cm config map: 

    policy.csv:
<name>, <email>, role:admin
    Copy to Clipboard Toggle word wrap

3.4. Uninstalling Keycloak
Copy link

You can delete the Keycloak resources and their relevant configurations by removing the SSO field from the Argo CD Custom Resource (CR) file. After you remove the SSO field, the values in the file look similar to the following: 

  apiVersion: argoproj.io/v1alpha1
  kind: ArgoCD
  metadata:
    name: example-argocd
    labels:
      example: basic
  spec:
    server:
      route:
       enabled: true
Copy to Clipboard Toggle word wrap
Note

A Keycloak application created by using this method is currently not persistent. Additional configurations created in the Argo CD Keycloak realm are deleted when the server restarts.

Legal Notice
Copy link

Copyright © 2023 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat