Keycloak
Integrating Keycloak and ArgoCD
These instructions will take you through the entire process of getting your ArgoCD application authenticating with Keycloak. You will create a client within Keycloak and configure ArgoCD to use Keycloak for authentication, using groups set in Keycloak to determine privileges in Argo.
Creating a new client in Keycloak
First we need to setup a new client. Start by logging into your keycloak server, select the realm you want to use (master
by default) and then go to Clients and click the create button top right.
Configure the client by setting the Access Type to confidential and set the Valid Redirect URIs to the callback url for your ArgoCD hostname. It should be https://{hostname}/auth/callback (you can also leave the default less secure https://{hostname}/\* ). You can also set the Base URL to /applications.
Make sure to click Save. You should now have a new tab called Credentials. You can copy the Secret that we’ll use in our ArgoCD configuration.
Configuring the groups claim
In order for ArgoCD to provide the groups the user is in we need to configure a groups claim that can be included in the authentication token. To do this we’ll start by creating a new Client Scope called groups.
Once you’ve created the client scope you can now add a Token Mapper which will add the groups claim to the token when the client requests the groups scope. Make sure to set the Name as well as the Token Claim Name to groups.
We can now configure the client to provide the groups scope. You can now assign the groups scope either to the Assigned Default Client Scopes or to the Assigned Optional Client Scopes. If you put it in the Optional category you will need to make sure that ArgoCD requests the scope in it’s OIDC configuration.
Since we will always want group information, I recommend using the Default category. Make sure you click Add selected and that the groups claim is in the correct list on the right.
Create a group called ArgoCDAdmins and have your current user join the group.
Configuring ArgoCD OIDC
Let’s start by storing the client secret you generated earlier in the argocd secret argocd-secret.
- First you’ll need to encode the client secret in base64:
$ echo -n '83083958-8ec6-47b0-a411-a8c55381fbd2' | base64
- Then you can edit the secret and add the base64 value to a new key called oidc.keycloak.clientSecret using
$ kubectl edit secret argocd-secret
.
Your Secret should look something like this:
apiVersion: v1
kind: Secret
metadata:
name: argocd-secret
data:
...
oidc.keycloak.clientSecret: ODMwODM5NTgtOGVjNi00N2IwLWE0MTEtYThjNTUzODFmYmQy
...
Now we can configure the config map and add the oidc configuration to enable our keycloak authentication. You can use $ kubectl edit configmap argocd-cm
.
Your ConfigMap should look like this:
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
data:
url: https://argocd.example.com
oidc.config: |
name: Keycloak
issuer: https://keycloak.example.com/realms/master
clientID: argocd
clientSecret: $oidc.keycloak.clientSecret
requestedScopes: ["openid", "profile", "email", "groups"]
Make sure that: - issuer ends with the correct realm (in this example master) - issuer on Keycloak releases older than version 17 the URL must include /auth (in this expample /auth/realms/master) - clientID is set to the Client ID you configured in Keycloak - clientSecret points to the right key you created in the argocd-secret Secret - requestedScopes contains the groups claim if you didn’t add it to the Default scopes
Configuring ArgoCD Policy
Now that we have an authentication that provides groups we want to apply a policy to these groups. We can modify the argocd-rbac-cm ConfigMap using $ kubectl edit configmap argocd-rbac-cm
.
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-rbac-cm
data:
policy.csv: |
g, ArgoCDAdmins, role:admin
In this example we give the role role:admin to all users in the group ArgoCDAdmins.
Login
You can now login using our new Keycloak OIDC authentication: