5 min to read
Setting up ArgoCD SSO with GCP OAuth
A comprehensive guide to implementing ArgoCD SSO with GCP OAuth
Overview
This post explains how to configure Single Sign-On (SSO) for ArgoCD using Google Cloud Platform (GCP) OAuth.
Prerequisites
- A GCP project with OAuth 2.0 configured
- ArgoCD installed on a Kubernetes cluster
- Administrative access to both GCP and ArgoCD
Steps
1. Create OAuth 2.0 Client ID in GCP
Console Method
- Log in to Google Cloud Console and select your project
- Navigate to "APIs & Services" > "Credentials"
- Click "Create Credentials" and select "OAuth client ID"
- Configure OAuth consent screen:
- Choose Internal (for organization users) or External (for all Google accounts)
- Complete app registration: OAuth consent screen, scopes, test users, summary
- Create OAuth client:
- Select "Web application" as application type
- Add authorized redirect URI: `https://argocd-server-url/api/dex/callback`
- Save the generated credentials
Client ID
7xxxxxx-fxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com
Client Secret
Gxxxx-oxxxxxxxxxxxxxxxxxxxxxxxx
CLI Method
gcloud config set project [YOUR_PROJECT_ID]
gcloud alpha iam oauth-clients create \
--project=[YOUR_PROJECT_ID] \
--display-name="My OAuth Client" \
--redirect-uris="https://[YOUR_ARGOCD_SERVER_URL]/auth/callback"
2. Update ArgoCD Configuration
First, backup existing configurations:
k get cm -n argocd argocd-cm -o yaml | k neat >> argocd-cm.yaml
k get secrets -n argocd argocd-secret -o yaml | k neat >> argocd-secret.yaml
Update ConfigMaps (Yaml)
argocd-cm
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
namespace: argocd
data:
url: https://<argocd-server-url>
dex.config: |
connectors:
- type: oidc
id: google
name: Google
config:
issuer: https://accounts.google.com
clientID: <YOUR-CLIENT-ID>
clientSecret: $google-client-secret
redirectURI: https://argocd.somaz.link/api/dex/callback
hostedDomains:
- <your-domain.com>
argocd-rbac-cm
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-rbac-cm
namespace: argocd
labels:
app.kubernetes.io/name: argocd-rbac-cm
app.kubernetes.io/part-of: argocd
data:
policy.csv: |
p, role:org-admin, applications, *, */*, allow
p, role:org-admin, clusters, get, *, allow
p, role:org-admin, repositories, get, *, allow
p, role:org-admin, repositories, create, *, allow
p, role:org-admin, repositories, update, *, allow
p, role:org-admin, repositories, delete, *, allow
p, role:org-admin, projects, get, *, allow
p, role:org-admin, projects, create, *, allow
p, role:org-admin, projects, update, *, allow
p, role:org-admin, projects, delete, *, allow
p, role:org-admin, logs, get, *, allow
p, role:org-admin, exec, create, */*, allow
g, somaz@example.com, role:org-admin
policy.default: role:readonly
scopes: '[groups, email]'
Update ConfigMaps (Helm)
global:
# -- Default domain used by all components
## Used for ingresses, certificates, SSO, notifications, etc.
domain: argocd.somaz.link
# SSH known hosts for Git repositories
## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#ssh-known-host-public-keys
configs:
cm:
timeout.reconciliation: 180s # default is 180s
# Add account settings
dex.config: |
connectors:
- type: oidc
id: google
name: Google
config:
baseURL: https://accounts.google.com # TODO: change to your Google domain
clientID: cd5caac... # TODO: change to your Google client ID
clientSecret: gloas-a9... # TODO: change to your Google client secret
redirectURI: https://argocd.somaz.link/api/dex/callback # TODO: change to your Argo CD domain
params:
create: true
server.insecure: false # default: false
# SSH known hosts for Git repositories
## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#ssh-known-host-public-keys
ssh:
# -- Additional known hosts for private repositories
# extraHosts: |
# gitlab.somaz.link ssh-rsa AAAAB3...
# gitlab.somaz.link ecdsa-sha2-nistp256 AAAA...
# gitlab.somaz.link ssh-ed25519 AAAA...
rbac:
create: true
policy.csv: |
p, role:org-admin, applications, *, */*, allow
p, role:org-admin, clusters, get, *, allow
p, role:org-admin, repositories, *, *, allow
p, role:org-admin, projects, get, *, allow
p, role:org-admin, logs, get, *, allow
p, role:org-admin, exec, create, */*, allow
# Google 그룹 멤버에게 admin 권한 부여
g, somaz@somaz.link, role:org-admin # TODO: change to your Google user email(somaz@somaz.link)
secrets:
# Google SSO Configuration
dex.google.clientId: "cd5caac... # TODO: change to your Google client ID"
dex.google.clientSecret: "gloas-a9... # TODO: change to your Google client secret"
3. Restart ArgoCD Components
Check deployments:
k get deployments.apps -n argocd
Restart required components:
k rollout restart deploy -n argocd argocd-server
k rollout restart deploy -n argocd argocd-dex-server
4. Test Login
Access your ArgoCD instance and verify that Google Workspace SSO login works correctly.
Authentication Processes
- OAuth Authentication
- SAML Authentication
- OpenID Connect Authentication
Important Notes
- Consider domain settings, security policies, and network configurations for production environments
- Keep up with the latest documentation as GCP Console and ArgoCD settings may change
- Ensure proper backup before making configuration changes
Comments