How to configure ArgoCD OIDC with Google Workspace in 5 simple steps
- Dec 27, 2023
- 3 min read
Updated: Oct 28, 2024
There are different ways to handle authentication in ArgoCD, but indeed using the admin password is not secure enough. For this reason, we’ll learn how to configure your ArgoCD to integrate with Google Workspace for Login. In this TeraTip we’ll cover one of the approaches for authentication, using ‌groups from Google Workspace.
Before you get started…
In order to get the SSO working you need to have the SSL and URL for your server already configured, otherwise, you’ll get errors during the authentication.
Step # 1: Create the OAuth Screen
First, you create a project with any name you want and configure the OAuth screen as follows:
In the Authorized Domains section, it is important to configure the domain for the email your users have, in this case, we add the domain for our organization.
Finally, on the Scopes tab select the userinfo.profile and the openid scopes. Those are the scopes ArgoCD needs for the log in.
Step # 2: Create the OAuth Client ID
On the Credentials tab, click on + Create Credentials and OAuth client ID.
Then select on Application type, Web Application, and configure the JavaScript origins and redirect URIs. In the Authorized JavaScripts origins section, configure the root URL for your ArgoCD. Then in Authorized redirect URIs copy this URL but append the /api/dex/callback path.
Then click on Create and save your Client ID and Client Secret for later.
Step # 3: Configure the Service Account on Google Workspace
Now create the Service Account and configure the Domain Wide delegation, to make ArgoCD able to read the groups. On the Service Account section of the Google Console, we click on + CREATE SERVICE ACCOUNT. You only need to enter a name for the service account and enter any name you like.
Enter ‌your service account, go to the Keys tab, click on Add Key, and select JSON as format. Save the keys, we will use them later for configuring the OIDC.
Step # 4: Set up Domain Wide delegation and enable Admin SDK
To close with the Google configuration you’ll now have to configure Domain Wide delegation and enable the Admin SDK. First head to the Google Cloud Admin console, and then go to Security, Access and data control, API controls, and, lastly, then click on manage domain-wide delegation.Â
Click on Add Client, and then on Client ID paste the Client ID of your service account, and on the scopes section paste this: https://www.googleapis.com/auth/admin.directory.group.readonly
Finally, head to https://console.cloud.google.com/apis/library/admin.googleapis.com and enable the Admin SDK for your project.
Step # 5: Configure ArgoCD
To configure the OIDC create two secrets on your cluster, one for the Client Secret we got on Step 2Â and one for the JSON we got on Step 3.Â
For the client secret:
apiVersion: v1 kind: Secret metadata:  name: argocd-cm-dex-secret  namespace: argocd  labels:  app.kubernetes.io/part-of: argocd data:  dex.google.clientSecret: CLIENT_SECRET_BASE64_ENCODED |
For the JSON:
apiVersion: v1 kind: Secret metadata:  name: argocd-google-groups-json  namespace: argocd data:  googleAuth.json: JSON_FILE_BASE64_ENCODED |
Now if you are using the ArgoCD Helm Chart, you can use the following values, tested on version 5.27.1:
configs: cm:  url: https://argocd.teracloud.io  dex.config: |   connectors:   - config:     redirectURI: https://argocd.teracloud.io/api/dex/callback     clientID: HERE_YOUR_CLIENT_ID     clientSecret: $argocd-cm-dex-secret:dex.google.clientSecret     serviceAccountFilePath: /tmp/oidc/googleAuth.json     adminEmail: email_used_for_the_domain_wide_delegation     # A list of groups to add     groups:     - devops@teracloud.io    type: google    id: google    name: Google dex: enabled: true volumeMounts: - mountPath: /tmp/oidc  name: google-json  readOnly: true volumes: - name: google-json  secret:   defaultMode: 420   secretName: argocd-google-groups-json |
Now you have your ArgoCD configured with Google SSO!
Juan Wiggenhauser
Cloud Engineer
Teracloud