top of page

How to configure ArgoCD OIDC with Google Workspace in 5 simple steps


There are different ways to handle authentication in ArgoCD, but indeed using the admin password is not secure enough. For this reason, we’ll learn how to configure your ArgoCD to integrate with Google Workspace for Login. In this TeraTip we’ll cover one of the approaches for authentication, using ‌groups from Google Workspace.





Before you get started…

In order to get the SSO working you need to have the SSL and URL for your server already configured, otherwise, you’ll get errors during the authentication.



Step #1: Create the OAuth Screen


First, you create a project with any name you want and configure the OAuth screen as follows:



In the Authorized domains section, it is important to configure the domain for the email your users have, in this case, we add the domain for our organization.



Finally, on the Scopes tab select the userinfo.profile and the openid scopes. Those are the scopes ArgoCD needs for the log in.



Step #2: Create the OAuth Client ID


On the Credentials tab, click on + Create Credentials and OAuth client ID.





Then select on Application type, Web Application, and configure the JavaScript origins and redirect URIs. In the Authorized JavaScripts origins section, configure the root URL for your ArgoCD. Then in Authorized redirect URIs copy this URL but append the /api/dex/callback path.




Then click on create and save your Client ID and Client Secret for later.



Step #3: Configure the Service Account on Google Workspace


Now create the Service Account and configure the Domain Wide delegation, in order to make ArgoCD able to read the groups. On the Service Account section of the Google Console we click on + CREATE SERVICE ACCOUNT. You only need to enter a name for the service account and enter any name you like.





Enter ‌your service account, go to the Keys tab, click on Add Key, and select JSON as format. Save the keys, we will use them later for configuring the OIDC.





Step #4: Set up Domain Wide delegation and enabling Admin SDK


To close with the Google configuration you’ll now have to configure Domain Wide delegation and enable the Admin SDK. First head to the Google Cloud Admin console, and then go to Security, Access and data control, API controls, and, lastly, then click on manage domain wide delegation. 






Click on Add Client, and then on Client ID paste the Client ID of your service account, and on the scopes section paste this: https://www.googleapis.com/auth/admin.directory.group.readonly



Finally, head to https://console.cloud.google.com/apis/library/admin.googleapis.com and enable the Admin SDK for your project.



Step #5: Configure ArgoCD


To configure the OIDC create two secrets on your cluster, one for the Client Secret we got on Step 2 and one for the JSON we got on Step 3


For the client secret:

apiVersion: v1


kind: Secret


metadata:


 name: argocd-cm-dex-secret


 namespace: argocd


 labels:


  app.kubernetes.io/part-of: argocd


data:


 dex.google.clientSecret: CLIENT_SECRET_BASE64_ENCODED

For the JSON:

apiVersion: v1


kind: Secret


metadata:


 name: argocd-google-groups-json


 namespace: argocd


data:


 googleAuth.json: JSON_FILE_BASE64_ENCODED

Now if you are using the ArgoCD Helm Chart, you can use the following values, tested on version 5.27.1:

configs:  cm:    url: https://argocd.teracloud.io    dex.config: |      connectors:      - config:          redirectURI: https://argocd.teracloud.io/api/dex/callback          clientID: HERE_YOUR_CLIENT_ID          clientSecret: $argocd-cm-dex-secret:dex.google.clientSecret          serviceAccountFilePath: /tmp/oidc/googleAuth.json          adminEmail: email_used_for_the_domain_wide_delegation          # A list of groups to add          groups:          - devops@teracloud.io        type: google        id: google        name: Google dex:  enabled: true  volumeMounts:  - mountPath: /tmp/oidc    name: google-json    readOnly: true  volumes:  - name: google-json    secret:      defaultMode: 420      secretName: argocd-google-groups-json

Now you have your ArgoCD configured with Google SSO!











Juan Wiggenhauser

Cloud Engineer

Teracloud

Entradas recientes
Buscar por tags
Síguenos
  • Twitter Basic Square
bottom of page