ArgoCD Okta Setup.
Okta configured single sign-on using at least two different techniques, including:
> SAML is the one that we will choose to configure (with Dex).
So now, Log in to your Okta account as Admin.
> Look for the Applications section.
Then click on Create App Integration —
Choose the SAML 2.0 and Click on Next
Now, under Create a SAML Integration,
General Settings:-
> Upload ArgoCD Logo & tick the App Visibility Check Box
> Click on Next
Note:- Due to Dex’s inability to enable provider-initiated login flows, I have disabled App Visibility.
Configure SAML:-
In the Real World, your ArgoCD Server(POD) will always run as a Private Cluster/Private Setup (which means NO one outside of the company can access the ArgoCD URLs), so we will set up Private deployment.
The Okta callback URL could be the only publicly accessible endpoint in a private Argo CD installation for an Okta SSO setup. A few tweaks are required to the data.dex.config area of the argocd-cm ConfigMap.
Assume, Public ArgoCD URL:-
https://argocd-ex.example.com/api/dex/callbackAssume, Private ArgoCD URL:-
https://argocd-in.example.com/api/dex/callback
For now, we’ll mention Two group names; you will choose the name as per your organization’s nomenclature.
I am Creating Two Groups, Called — DevOps, OrgUser
Then Click Next
Choose I’m an Okta Customer Adding an Internal app & Click Finish.
Next, Go to the Sign On Section and search for View SAML setup instructions.
Now look for the ArgoCD yaml files that you used to set up the Argo CD cluster and edit argocd-cm to configure the data.dex.config section.
Direct URL for Edit section (v2.4.7)— https://github.com/argoproj/argo-cd/blob/v2.4.7/manifests/ha/install.yaml#L9494
Before editing the argocd-cm, let's convert the X.509 Certificate into base64, which you can get from the SAML setup Instructions.
echo -n 'Copy-Paste X.509 Certificate here' | base64Assume, your X.509 Certificate Encoded Value is -
LS0AJDJNXIAODHDJWERICHSKAKSDKSKSKSKSKWPZLALSDJFOPWLXNFJKSLXJCHJDSJSKSKSKSKSKSKQAPQLZDHWPACNSJAPPDSHACHXNALAQ==Note:- Your encoded value must be a lengthy string (the above one is just a dummy string)
Now Edit the argocd-cm and configure the data.dex.config section
Change all the Red arrow marked values as per your organization's requirements.
Note:-All the values which I used above are dummy values.
Connect Okta Groups to Argo CD Roles -
Now is the time to configure the previously specified users and groups.
Direct URL for Edit section:- https://github.com/argoproj/argo-cd/blob/v2.4.7/manifests/ha/install.yaml#L9523
Modify the argocd-rbac-cm ConfigMap to connect to the DevOps and OrgUser.
OrgUser has Read-Only access to all resources, while the DevOps user has Admin permissions.
Note:-Please restart the respective services to take effect.
Again, log into your Okta account, create the groups, and then add members to them.
Look for Groups —
Then Add group-
NOTE:-Keep in mind, that group syntax is case-sensitive; therefore, use the same syntax everywhere it is necessary.
Similarly, create a group for OrgUser.
Once you have created the group, assign the people.
I’m adding every member of the DevOps team to my DevOps group and every developer to the OrgUser group.
Now hit the internal Argo URL and Login via Okta.
Click Me-
ArgoCD All-in-One Setup Guide.
ArgoCD High Availability (HA) [Production Ready].
I hope you find this article educational and beneficial.
Crafting these articles demands countless hours of ideation, research, and writing. This year has seen me invest over 500 hours into this craft alone. If my work has brought you joy, would you kindly consider supporting me with a coffee? Your gesture would mean the world to me. If not, thank you dearly for your readership. ❤️
