Skip to main content

Argo CD


Installation

helm repo add argo https://argoproj.github.io/argo-helm
helm repo update argo \
&& helm search repo argo/argo-cd -l | head -n 10
helm show values argo/argo-cd \
--version 5.8.1 \
> values.yaml
values.yaml
fullnameOverride: "argo-cd"

configs:
cm:
# 2.5 버전을 위한 준비
server.rbac.log.enforce.enable: "false"
# Web UI에서 터미널 접속
exec.enabled: "false"

server:
extraArgs:
- --insecure # https://github.com/argoproj/argo-cd/issues/2953

applicationSet:
enabled: false

notifications:
enabled: false
kubectl create namespace workflow
helm upgrade argo-cd argo/argo-cd \
--install \
--version 5.8.1 \
-n workflow \
--values values.yaml

User

ConfigMap

values.yaml
configs:
cm:
# add an additional local user with apiKey and login capabilities
# apiKey - allows generating API keys
# login - allows to login using UI
accounts.<user>: apiKey, login
accounts.<user>.enabled: "true"

# disables user. User is enabled by default
admin.enabled: "false"

Dex

Example connectors

redirectURI은 argocd-cm의 <.data.url>/api/dex/callback으로 자동 설정 되기 때문에 따로 설정하지 않아도 됩니다.

values.yaml
configs:
cm:
url: <uri>

Github

  • (User or Organization)Settings - Developer settings - OAuth Apps - New Oauth App
  • Homepage URL:
  • Authorization callback URL: https://<host>/api/dex/callback

argocd-secret .datadex.github.clientSecret: <base64 encoded>를 추가 합니다.

values.yaml
configs:
cm:
dex.config: |
connectors:
- type: github
id: github
name: GitHub
config:
clientID: <clientID>
clientSecret: $dex.github.clientSecret
# 소문자와 `-`만 사용된 필드로 변환된 값을 사용할 수 있음
# ex) R&D -> r-d
teamNameField: both
orgs:
- name: <orgName>
# team: # 없으면 모든 팀을 포함
# - <teamName>
info

다른 Secret을 쓰고 싶으면 아래와 같이 추가하고, config에 $github-client-secret:dex.gtihub.clientSecret를 사용하면 됩니다.

apiVersion: v1
kind: Secret
metadata:
name: github-client-secret
namespace: workflow
labels:
app.kubernetes.io/part-of: argocd # 이 label이 있어야 설정이 적용됩니다.
type: Opaque
stringData:
dex.github.clientSecret: <secret>

OIDC

values.yaml
dex:
enabled: false

configs:
cm:
url: <uri>

Keycloak


  • Client
    • argo client 추가
      • Settings
        • Enabled: on
        • Client Protocol: openid-connect
        • Access Type: confidential
        • Valid Redirect URIs
          • <url>/auth/callback
      • Credentials
        • Client Authenticator: Client ID and Secret
        • Secret: <argo-client-secret>
  • Client Scopes
    • groups client scope 추가
      • Settings
        • Protocol: openid-connect
        • Include in Token Scope: on
      • Mappers
        • groups mapper 추가
          • Mapper Type: Group Membership
          • Token Claim Name: groups
          • Full group path: off
  • Client
    • argo client
      • Client Scopes
        • Default Client scopes
          • groups 추가
  • Groups
    • argo-admin 추가
    • argo-dev 추가
  • Users
    • 유저 추가
      • Email: <email>
      • Groups: <group>

argocd-secret .dataoidc.keycloak.clientSecret: <base64 encoded>를 추가 합니다.

values.yaml
configs:
cm:
oidc.config: |
name: Keycloak
issuer: <keycloak-url>/auth/realms/<realm>
clientID: argo
clientSecret: $oidc.keycloak.clientSecret # or `$<secret-name>:oidc.keycloak.clientSecret`
requestedScopes: ["openid", "profile", "email", "groups"]

RBAC

values.yaml
configs:
rbac:
# https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md
policy.csv: |
g, <role/user/group>, role:<role>

# role:readonly, role:admin
# https://github.com/argoproj/argo-cd/blob/master/assets/builtin-policy.csv
policy.default: "role:readonly"

# "sub" 외에 추가로 인식할 수 있는 값을 추가합니다. 기본 값은 "[groups]"입니다.
scopes: "[groups, preferred_username, email]"

# glob or regex
policy.matchMode: "glob"