11 min to read

Setting up ArgoCD SSO with GCP OAuth

A comprehensive guide to implementing ArgoCD SSO with GCP OAuth

Featured image


Overview

This post explains how to configure Single Sign-On (SSO) for ArgoCD using Google Cloud Platform (GCP) OAuth.

Benefits of Using SSO with ArgoCD

  • Centralized Authentication
    Streamlines access management by integrating with your organization's existing identity provider.
  • Enhanced Security
    Leverages Google's security features including MFA, suspicious login detection, and centralized user management.
  • Simplified User Experience
    Provides seamless login experience without requiring separate ArgoCD credentials.
  • Improved Compliance
    Facilitates audit logging and access controls through centralized identity management.

Prerequisites

Steps

1. Create OAuth 2.0 Client ID in GCP

Console Method
  1. Log in to Google Cloud Console and select your project
  2. Navigate to "APIs & Services" > "Credentials"
  3. Click "Create Credentials" and select "OAuth client ID"
  4. Configure OAuth consent screen:
    • Choose Internal (for organization users) or External (for all Google accounts)
    • Complete app registration: OAuth consent screen, scopes, test users, summary
  5. Create OAuth client:
    • Select "Web application" as application type
    • Add authorized redirect URI: `https://argocd-server-url/api/dex/callback`
  6. Save the generated credentials

Client ID

7xxxxxx-fxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com

Client Secret

Gxxxx-oxxxxxxxxxxxxxxxxxxxxxxxx

CLI Method



2. Update ArgoCD Configuration

First, backup existing configurations:

k get cm -n argocd argocd-cm -o yaml | k neat >> argocd-cm.yaml
k get secrets -n argocd argocd-secret -o yaml | k neat >> argocd-secret.yaml

Update ConfigMaps (Yaml)

argocd-cm
apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
data:
  url: https://<argocd-server-url>
  dex.config: |
    connectors:
      - type: oidc
        id: google
        name: Google
        config:
          issuer: https://accounts.google.com
          clientID: <YOUR-CLIENT-ID>
          clientSecret: $google-client-secret
          redirectURI: https://argocd.somaz.link/api/dex/callback 
          hostedDomains:
            - <your-domain.com>
argocd-rbac-cm
apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-rbac-cm
  namespace: argocd
  labels:
    app.kubernetes.io/name: argocd-rbac-cm
    app.kubernetes.io/part-of: argocd
data:
  policy.csv: |
    p, role:org-admin, applications, *, */*, allow
    p, role:org-admin, clusters, get, *, allow
    p, role:org-admin, repositories, get, *, allow
    p, role:org-admin, repositories, create, *, allow
    p, role:org-admin, repositories, update, *, allow
    p, role:org-admin, repositories, delete, *, allow
    p, role:org-admin, projects, get, *, allow
    p, role:org-admin, projects, create, *, allow
    p, role:org-admin, projects, update, *, allow
    p, role:org-admin, projects, delete, *, allow
    p, role:org-admin, logs, get, *, allow
    p, role:org-admin, exec, create, */*, allow
    g, somaz@example.com, role:org-admin
  policy.default: role:readonly
  scopes: '[groups, email]'

Update ConfigMaps (Helm)


global:
  # -- Default domain used by all components
  ## Used for ingresses, certificates, SSO, notifications, etc.
  domain: argocd.somaz.link
  # SSH known hosts for Git repositories
  ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#ssh-known-host-public-keys

configs:
  cm:
    timeout.reconciliation: 180s # default is 180s
    # Add account settings
    dex.config: |
      connectors:
        - type: oidc
          id: google
          name: Google
          config:
            baseURL: https://accounts.google.com # TODO: change to your Google domain
            clientID: cd5caac... # TODO: change to your Google client ID
            clientSecret: gloas-a9... # TODO: change to your Google client secret
            redirectURI: https://argocd.somaz.link/api/dex/callback # TODO: change to your Argo CD domain

  params:
    create: true
    server.insecure: false  # default: false
  # SSH known hosts for Git repositories
  ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#ssh-known-host-public-keys
  ssh:
    # -- Additional known hosts for private repositories
    # extraHosts: |
    #   gitlab.somaz.link ssh-rsa AAAAB3...
    #   gitlab.somaz.link ecdsa-sha2-nistp256 AAAA...
    #   gitlab.somaz.link ssh-ed25519 AAAA...

  rbac:
    create: true
    policy.csv: |
      p, role:org-admin, applications, *, */*, allow
      p, role:org-admin, clusters, get, *, allow
      p, role:org-admin, repositories, *, *, allow
      p, role:org-admin, projects, get, *, allow
      p, role:org-admin, logs, get, *, allow
      p, role:org-admin, exec, create, */*, allow
      
      # Google 그룹 멤버에게 admin 권한 부여
      g, somaz@somaz.link, role:org-admin # TODO: change to your Google user email(somaz@somaz.link)
  
  secrets:
    # Google SSO Configuration
    dex.google.clientId: "cd5caac... # TODO: change to your Google client ID"
    dex.google.clientSecret: "gloas-a9... # TODO: change to your Google client secret"

3. Create argocd-secret for OAuth

If you’re using the Google OAuth connector, you need to store the client secret securely:

apiVersion: v1
kind: Secret
metadata:
  name: argocd-secret
  namespace: argocd
  labels:
    app.kubernetes.io/name: argocd-secret
    app.kubernetes.io/part-of: argocd
type: Opaque
data:
  # Base64 encoded client secret
  dex.google.clientSecret: R3h4eHgtb3h4eHh4eHh4eHh4eHh4eHh4eHh4
  # Add other existing ArgoCD secrets here as well

To create this secret manually:



4. Restart ArgoCD Components

Check deployments:

k get deployments.apps -n argocd

Restart required components:

k rollout restart deploy -n argocd argocd-server
k rollout restart deploy -n argocd argocd-dex-server

5. Test Login

Access your ArgoCD instance and verify that Google Workspace SSO login works correctly.

ArgoCD SSO Google OAuth Login


Advanced Configuration

Group-Based Access Control

You can map Google Workspace groups to ArgoCD roles for more granular permissions management:

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-rbac-cm
  namespace: argocd
data:
  policy.csv: |
    # Allow members of 'platform-team@example.com' to be admins
    g, platform-team@example.com, role:admin

    # Allow members of 'developers@example.com' to only access certain projects
    p, role:developers, applications, get, dev-team/*, allow
    p, role:developers, applications, sync, dev-team/*, allow
    g, developers@example.com, role:developers

    # Default permissions for all users
    p, role:readonly, applications, get, */*, allow
    p, role:readonly, clusters, get, *, allow
  
  scopes: '[groups, email]'

Configuring Google Groups Integration

To enable group membership checking, update the Dex connector configuration:

dex.config: |
  connectors:
    - type: oidc
      id: google
      name: Google
      config:
        issuer: https://accounts.google.com
        clientID: <YOUR-CLIENT-ID>
        clientSecret: $dex.google.clientSecret
        redirectURI: https://argocd.somaz.link/api/dex/callback
        
        # Enable Google Groups integration
        groups:
          # True to use Google Groups for group membership claims
          useGroupsAsWhitelist: true
          # Filtering to specific Google Groups
          filterGroups: ["dev-team@example.com", "platform-team@example.com"]
        
        # Restrict to specific domains
        hostedDomains:
          - example.com

Hardening Your SSO Configuration


Security Best Practices:

1. Session Management: - Configure reasonable session timeouts
- Enable secure session storage
- Implement session revocation mechanisms

2. Access Control: - Apply the principle of least privilege
- Regularly audit user access and permissions
- Implement role-based access control

3. Network Security: - Use HTTPS with valid certificates
- Implement network policies to restrict access
- Consider adding IP-based restrictions

4. Monitoring and Logging: - Enable comprehensive audit logging
- Monitor for suspicious login attempts
- Set up alerts for permission changes

Session Configuration Example

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
data:
  url: https://argocd.somaz.link
  
  # Session settings
  application.instanceLabelKey: argocd.argoproj.io/instance
  admin.enabled: "false"
  timeout.reconciliation: 180s
  
  # Session security settings
  session.duration: "8h"  # Session valid for 8 hours

TLS Configuration

Ensure your ArgoCD instance is properly secured with TLS:

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cmd-params-cm
  namespace: argocd
data:
  # Disable insecure connections
  server.insecure: "false"
  
  # Enable strict TLS
  server.strict-tls: "true"

For Ingress with TLS:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: argocd-server-ingress
  namespace: argocd
  annotations:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: letsencrypt-prod
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    # Required for OAuth redirects
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
  rules:
  - host: argocd.somaz.link
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: argocd-server
            port:
              name: https
  tls:
  - hosts:
    - argocd.somaz.link
    secretName: argocd-secret-tls


Troubleshooting

Common Issues


Typical Problems and Solutions:

1. Authentication Failed: - Check client ID and secret
- Verify redirect URI configuration
- Ensure domain settings match
- Check ArgoCD server URL configuration

2. User Cannot Login: - Verify the user's email domain matches hostedDomains
- Check RBAC configuration
- Inspect Dex logs for errors

3. Insufficient Permissions: - Review RBAC policy configuration
- Check user's group membership
- Verify scopes include 'groups' and 'email'

4. Certificate Issues: - Ensure SSL certificates are valid
- Check TLS configuration
- Verify proper URL redirection

Debug Commands

# Check ArgoCD server logs
kubectl logs -n argocd -l app.kubernetes.io/name=argocd-server

# Check Dex server logs
kubectl logs -n argocd -l app.kubernetes.io/name=argocd-dex-server

# View configuration
kubectl get cm argocd-cm -n argocd -o yaml

# Check RBAC configuration
kubectl get cm argocd-rbac-cm -n argocd -o yaml

# Test network connectivity
kubectl run -it --rm debug --image=curlimages/curl:7.73.0 -- curl -vk https://argocd-server.argocd.svc.cluster.local

Checking Dex Status

# Port forward to Dex metrics
kubectl port-forward -n argocd svc/argocd-dex-server 5558

# In a new terminal
curl localhost:5558/metrics | grep dex

Automating the Setup

Setup Script

Here’s a script to automate the configuration:



Authentication Processes

Important Notes

Security Considerations

ArgoCD SSO Security Checklist


Security Checklist:

✅ Use HTTPS with valid certificates
✅ Implement least privilege RBAC policies
✅ Restrict by hosted domains
✅ Enable appropriate session timeouts
✅ Regularly rotate client secrets
✅ Audit SSO access regularly
✅ Backup configurations before changes
✅ Implement network policies
✅ Monitor for suspicious login attempts
✅ Enable multi-factor authentication in Google


References