Keycloak

Integrating Keycloak and ArgoCD

These instructions will take you through the entire process of getting your ArgoCD application authenticating with Keycloak. You will create a client within Keycloak and configure ArgoCD to use Keycloak for authentication, using groups set in Keycloak to determine privileges in Argo.

Creating a new client in Keycloak

First we need to setup a new client. Start by logging into your keycloak server, select the realm you want to use (master by default) and then go to Clients and click the Create client button at the top.

Keycloak add client

Enable the Client authentication.

Keycloak add client Step 2

Configure the client by setting the Root URL, Web origins, Admin URL to the hostname (https://{hostname}).

Also you can set Home URL to your /applications path and Valid Post logout redirect URIs to “+”.

The Valid Redirect URIs should be set to https://{hostname}/auth/callback (you can also set the less secure https://{hostname}/\* for testing/development purposes, but it’s not recommended in production).

Keycloak configure client

Make sure to click Save. There should be a tab called Credentials. You can copy the Secret that we’ll use in our ArgoCD configuration.

Keycloak client secret

Configuring the groups claim

In order for ArgoCD to provide the groups the user is in we need to configure a groups claim that can be included in the authentication token. To do this we’ll start by creating a new Client Scope called groups.

Keycloak add scope

Once you’ve created the client scope you can now add a Token Mapper which will add the groups claim to the token when the client requests the groups scope. In the Tab “Mappers”, click on “Configure a new mapper” and choose Group Membership. Make sure to set the Name as well as the Token Claim Name to groups. Also disable the “Full group path”.

Keycloak groups mapper

We can now configure the client to provide the groups scope. Go back to the client we’ve created earlier and go to the Tab “Client Scopes”. Click on “Add client scope”, choose the groups scope and add it either to the Default or to the Optional Client Scope. If you put it in the Optional category you will need to make sure that ArgoCD requests the scope in its OIDC configuration. Since we will always want group information, I recommend using the Default category.

Keycloak client scope

Create a group called ArgoCDAdmins and have your current user join the group.

Keycloak user group

Configuring ArgoCD OIDC

Let’s start by storing the client secret you generated earlier in the argocd secret argocd-secret.

  1. First you’ll need to encode the client secret in base64: $ echo -n '83083958-8ec6-47b0-a411-a8c55381fbd2' | base64
  2. Then you can edit the secret and add the base64 value to a new key called oidc.keycloak.clientSecret using $ kubectl edit secret argocd-secret.

Your Secret should look something like this:

  1. apiVersion: v1
  2. kind: Secret
  3. metadata:
  4. name: argocd-secret
  5. data:
  6. ...
  7. oidc.keycloak.clientSecret: ODMwODM5NTgtOGVjNi00N2IwLWE0MTEtYThjNTUzODFmYmQy
  8. ...

Now we can configure the config map and add the oidc configuration to enable our keycloak authentication. You can use $ kubectl edit configmap argocd-cm.

Your ConfigMap should look like this:

  1. apiVersion: v1
  2. kind: ConfigMap
  3. metadata:
  4. name: argocd-cm
  5. data:
  6. url: https://argocd.example.com
  7. oidc.config: |
  8. name: Keycloak
  9. issuer: https://keycloak.example.com/realms/master
  10. clientID: argocd
  11. clientSecret: $oidc.keycloak.clientSecret
  12. requestedScopes: ["openid", "profile", "email", "groups"]

Make sure that:

  • issuer ends with the correct realm (in this example master)
  • issuer on Keycloak releases older than version 17 the URL must include /auth (in this example /auth/realms/master)
  • clientID is set to the Client ID you configured in Keycloak
  • clientSecret points to the right key you created in the argocd-secret Secret
  • requestedScopes contains the groups claim if you didn’t add it to the Default scopes

Configuring ArgoCD Policy

Now that we have an authentication that provides groups we want to apply a policy to these groups. We can modify the argocd-rbac-cm ConfigMap using $ kubectl edit configmap argocd-rbac-cm.

  1. apiVersion: v1
  2. kind: ConfigMap
  3. metadata:
  4. name: argocd-rbac-cm
  5. data:
  6. policy.csv: |
  7. g, ArgoCDAdmins, role:admin

In this example we give the role role:admin to all users in the group ArgoCDAdmins.

Login

You can now login using our new Keycloak OIDC authentication:

Keycloak ArgoCD login