11 min to read
Setting up ArgoCD SSO with GCP OAuth
A comprehensive guide to implementing ArgoCD SSO with GCP OAuth

Overview
This post explains how to configure Single Sign-On (SSO) for ArgoCD using Google Cloud Platform (GCP) OAuth.
Benefits of Using SSO with ArgoCD
-
Centralized Authentication
Streamlines access management by integrating with your organization's existing identity provider. -
Enhanced Security
Leverages Google's security features including MFA, suspicious login detection, and centralized user management. -
Simplified User Experience
Provides seamless login experience without requiring separate ArgoCD credentials. -
Improved Compliance
Facilitates audit logging and access controls through centralized identity management.
Prerequisites
- A GCP project with OAuth 2.0 configured
- ArgoCD installed on a Kubernetes cluster
- Administrative access to both GCP and ArgoCD
- Domain with proper DNS configuration for ArgoCD
Steps
1. Create OAuth 2.0 Client ID in GCP
Console Method
1. Log in to Google Cloud Console and select your project
2. Navigate to “APIs & Services” > “Credentials”
3. Click “Create Credentials” and select “OAuth client ID”
4. Configure OAuth consent screen:
- Choose Internal (for organization users) or External (for all Google accounts)
- Complete app registration: OAuth consent screen, scopes, test users, summary
5. Create OAuth client:
- Select “Web application” as application type
- Add authorized redirect URI:
https://argocd-server-url/api/dex/callback
6. Save the generated credentials
Client ID
7xxxxxx-fxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com
Client Secret
Gxxxx-oxxxxxxxxxxxxxxxxxxxxxxxx
CLI Method
2. Update ArgoCD Configuration
First, backup existing configurations:
k get cm -n argocd argocd-cm -o yaml | k neat >> argocd-cm.yaml
k get secrets -n argocd argocd-secret -o yaml | k neat >> argocd-secret.yaml
Update ConfigMaps (Yaml)
argocd-cm
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
namespace: argocd
data:
url: https://<argocd-server-url>
dex.config: |
connectors:
- type: oidc
id: google
name: Google
config:
issuer: https://accounts.google.com
clientID: <YOUR-CLIENT-ID>
clientSecret: $google-client-secret
redirectURI: https://argocd.somaz.link/api/dex/callback
hostedDomains:
- <your-domain.com>
argocd-rbac-cm
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-rbac-cm
namespace: argocd
labels:
app.kubernetes.io/name: argocd-rbac-cm
app.kubernetes.io/part-of: argocd
data:
policy.csv: |
p, role:org-admin, applications, *, */*, allow
p, role:org-admin, clusters, get, *, allow
p, role:org-admin, repositories, get, *, allow
p, role:org-admin, repositories, create, *, allow
p, role:org-admin, repositories, update, *, allow
p, role:org-admin, repositories, delete, *, allow
p, role:org-admin, projects, get, *, allow
p, role:org-admin, projects, create, *, allow
p, role:org-admin, projects, update, *, allow
p, role:org-admin, projects, delete, *, allow
p, role:org-admin, logs, get, *, allow
p, role:org-admin, exec, create, */*, allow
g, somaz@example.com, role:org-admin
policy.default: role:readonly
scopes: '[groups, email]'
Update ConfigMaps (Helm)
global:
# -- Default domain used by all components
## Used for ingresses, certificates, SSO, notifications, etc.
domain: argocd.somaz.link
# SSH known hosts for Git repositories
## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#ssh-known-host-public-keys
configs:
cm:
timeout.reconciliation: 180s # default is 180s
# Add account settings
dex.config: |
connectors:
- type: oidc
id: google
name: Google
config:
baseURL: https://accounts.google.com # TODO: change to your Google domain
clientID: cd5caac... # TODO: change to your Google client ID
clientSecret: gloas-a9... # TODO: change to your Google client secret
redirectURI: https://argocd.somaz.link/api/dex/callback # TODO: change to your Argo CD domain
params:
create: true
server.insecure: false # default: false
# SSH known hosts for Git repositories
## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#ssh-known-host-public-keys
ssh:
# -- Additional known hosts for private repositories
# extraHosts: |
# gitlab.somaz.link ssh-rsa AAAAB3...
# gitlab.somaz.link ecdsa-sha2-nistp256 AAAA...
# gitlab.somaz.link ssh-ed25519 AAAA...
rbac:
create: true
policy.csv: |
p, role:org-admin, applications, *, */*, allow
p, role:org-admin, clusters, get, *, allow
p, role:org-admin, repositories, *, *, allow
p, role:org-admin, projects, get, *, allow
p, role:org-admin, logs, get, *, allow
p, role:org-admin, exec, create, */*, allow
# Google 그룹 멤버에게 admin 권한 부여
g, somaz@somaz.link, role:org-admin # TODO: change to your Google user email(somaz@somaz.link)
secrets:
# Google SSO Configuration
dex.google.clientId: "cd5caac... # TODO: change to your Google client ID"
dex.google.clientSecret: "gloas-a9... # TODO: change to your Google client secret"
3. Create argocd-secret for OAuth
If you’re using the Google OAuth connector, you need to store the client secret securely:
apiVersion: v1
kind: Secret
metadata:
name: argocd-secret
namespace: argocd
labels:
app.kubernetes.io/name: argocd-secret
app.kubernetes.io/part-of: argocd
type: Opaque
data:
# Base64 encoded client secret
dex.google.clientSecret: R3h4eHgtb3h4eHh4eHh4eHh4eHh4eHh4eHh4
# Add other existing ArgoCD secrets here as well
To create this secret manually:
4. Restart ArgoCD Components
Check deployments:
k get deployments.apps -n argocd
Restart required components:
k rollout restart deploy -n argocd argocd-server
k rollout restart deploy -n argocd argocd-dex-server
5. Test Login
Access your ArgoCD instance and verify that Google Workspace SSO login works correctly.
Advanced Configuration
Group-Based Access Control
You can map Google Workspace groups to ArgoCD roles for more granular permissions management:
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-rbac-cm
namespace: argocd
data:
policy.csv: |
# Allow members of 'platform-team@example.com' to be admins
g, platform-team@example.com, role:admin
# Allow members of 'developers@example.com' to only access certain projects
p, role:developers, applications, get, dev-team/*, allow
p, role:developers, applications, sync, dev-team/*, allow
g, developers@example.com, role:developers
# Default permissions for all users
p, role:readonly, applications, get, */*, allow
p, role:readonly, clusters, get, *, allow
scopes: '[groups, email]'
Configuring Google Groups Integration
To enable group membership checking, update the Dex connector configuration:
dex.config: |
connectors:
- type: oidc
id: google
name: Google
config:
issuer: https://accounts.google.com
clientID: <YOUR-CLIENT-ID>
clientSecret: $dex.google.clientSecret
redirectURI: https://argocd.somaz.link/api/dex/callback
# Enable Google Groups integration
groups:
# True to use Google Groups for group membership claims
useGroupsAsWhitelist: true
# Filtering to specific Google Groups
filterGroups: ["dev-team@example.com", "platform-team@example.com"]
# Restrict to specific domains
hostedDomains:
- example.com
Hardening Your SSO Configuration
Security Best Practices:
1. Session Management: - Configure reasonable session timeouts
- Enable secure session storage
- Implement session revocation mechanisms
2. Access Control: - Apply the principle of least privilege
- Regularly audit user access and permissions
- Implement role-based access control
3. Network Security: - Use HTTPS with valid certificates
- Implement network policies to restrict access
- Consider adding IP-based restrictions
4. Monitoring and Logging: - Enable comprehensive audit logging
- Monitor for suspicious login attempts
- Set up alerts for permission changes
Session Configuration Example
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
namespace: argocd
data:
url: https://argocd.somaz.link
# Session settings
application.instanceLabelKey: argocd.argoproj.io/instance
admin.enabled: "false"
timeout.reconciliation: 180s
# Session security settings
session.duration: "8h" # Session valid for 8 hours
TLS Configuration
Ensure your ArgoCD instance is properly secured with TLS:
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cmd-params-cm
namespace: argocd
data:
# Disable insecure connections
server.insecure: "false"
# Enable strict TLS
server.strict-tls: "true"
For Ingress with TLS:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: argocd-server-ingress
namespace: argocd
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
# Required for OAuth redirects
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
spec:
rules:
- host: argocd.somaz.link
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: argocd-server
port:
name: https
tls:
- hosts:
- argocd.somaz.link
secretName: argocd-secret-tls
Troubleshooting
Common Issues
Typical Problems and Solutions:
1. Authentication Failed: - Check client ID and secret
- Verify redirect URI configuration
- Ensure domain settings match
- Check ArgoCD server URL configuration
2. User Cannot Login: - Verify the user's email domain matches hostedDomains
- Check RBAC configuration
- Inspect Dex logs for errors
3. Insufficient Permissions: - Review RBAC policy configuration
- Check user's group membership
- Verify scopes include 'groups' and 'email'
4. Certificate Issues: - Ensure SSL certificates are valid
- Check TLS configuration
- Verify proper URL redirection
Debug Commands
# Check ArgoCD server logs
kubectl logs -n argocd -l app.kubernetes.io/name=argocd-server
# Check Dex server logs
kubectl logs -n argocd -l app.kubernetes.io/name=argocd-dex-server
# View configuration
kubectl get cm argocd-cm -n argocd -o yaml
# Check RBAC configuration
kubectl get cm argocd-rbac-cm -n argocd -o yaml
# Test network connectivity
kubectl run -it --rm debug --image=curlimages/curl:7.73.0 -- curl -vk https://argocd-server.argocd.svc.cluster.local
Checking Dex Status
# Port forward to Dex metrics
kubectl port-forward -n argocd svc/argocd-dex-server 5558
# In a new terminal
curl localhost:5558/metrics | grep dex
Automating the Setup
Setup Script
Here’s a script to automate the configuration:
Authentication Processes
- OAuth Authentication
- SAML Authentication
- OpenID Connect Authentication
Important Notes
- Consider domain settings, security policies, and network configurations for production environments
- Keep up with the latest documentation as GCP Console and ArgoCD settings may change
- Ensure proper backup before making configuration changes
- Use separate test and production environments for SSO configuration testing
Security Considerations
ArgoCD SSO Security Checklist
Security Checklist:
✅ Use HTTPS with valid certificates
✅ Implement least privilege RBAC policies
✅ Restrict by hosted domains
✅ Enable appropriate session timeouts
✅ Regularly rotate client secrets
✅ Audit SSO access regularly
✅ Backup configurations before changes
✅ Implement network policies
✅ Monitor for suspicious login attempts
✅ Enable multi-factor authentication in Google
Comments