Authenticate ArgoCD cli with Verrazzano SSO
In this tutorial I am going to show how to authenticate Argo CD Command Line Interface (cli) with Verrazzano Single Sign-On user.
First, a brief explanation on two key Verrazzano components that play a role in this configuration.
- Verrazzano uses Keycloak as its primary user store and configures OpenID Connect (OIDC) PKCE to authenticate users for all Verrazzano System Components such as “Prometheus, Grafana, ArgoCD, Kiali, etc”, providing Verrazzano Administrators a Single Sign On experience. Keycloak supports standard protocols OAuth 2.0, OpenID Connect SA ML for authorization and authentication.
- Argo CD is a GitOps continuous delivery tool. It maintains a desired application state between a git repository and a registered Kubernetes cluster.
When Keycloak and ArgoCD are deployed on o vanilla Kubernetes, a user has to invest time learning how to manually configure and secure them. However, when a user chooses to install ArgoCD and Keycloak with Verrazzano, they come preconfigured and wired on your behalf. The only thing you need to do is authenticate using the verrazzano user configured in Keycloak and start deploying your apps. I recommend reading Intro to ArgoCD in Verrazzano 1.5.0 blog for more details about ArgoCD.
ArgoCD CLI.
Initially users configure their applications, repositories and deployments from ArgoCD UI. But eventually, with automation requirements, many configurations may need to be ran from command line. ArgoCD includes an easy to use CLI to manage almost every resource in ArgoCD server from this tool.
Download Argo CLI
ArgoCD includes an easy way to download a compatible cli version with the server installed on Verrazzano. First, collect ArgoCD endpoint.
vz status |grep -i argoCDUrl
or
kubectl get vz -o yaml |grep argoCDUrlOpen a new browser window/tab with argoCDUrl and click on the option “log in via Keylcoak” as shown in picture below.
After submitting the authentication form, click on “Documentation” option. Then click on the button below “Want to download the CLI Tool?” text to download ArgoCD’s cli. The release provided out of the box is compatible with Linux amd64 distros.
Download the file, save it and rename it as argocd.
curl -sSL -o argocd-linux-amd64 https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64
sudo install -m 555 argocd-linux-amd64 /usr/local/bin/argocd
rm argocd-linux-amd64Make sure you add it to your linux PATH. If you need a different version, you can download it from argoproj repository directly. Follow cli_installation notes at https://github.com/argoproj/argo-cd/blob/master/docs/cli_installation.md
To confirm installation was successful, type in your terminal `argocd` . It should print out its help menu, similar to the output below.
Let’s table this for now, as I want to describe how the authorization flow works, using OpenID + Oauth2 protocol, between ArgoCD server, Verrazzano AuthProxy, Keycloak to authenticate argoCD cli using Single Sign On option.
- ArgoCD cli will send a login request to ArgoCD endpoint deployed in Verrazzano.
2. Verrazzano Auth Proxy will intercept the request and checks if a valid token is associated with the user session before granting access to ArgoCD server. If JWT token is not valid or non existent, it will redirect the client (argoCD cli) to authenticate with Keycloak.
3. ArgoCD cli only supports browser authentication. It will attempt to open a browser on your workstation if you are running it from the same host it is installed on. Else, it will print a similar output like below. Copy and Paste the url right after “Performing authorization_code flow login:” text.
argocd login argocd.default.${domain} --sso
WARNING: server certificate had error: x509: certificate signed by unknown authority. Proceed insecurely (y/n)? y
Opening browser for authentication
Performing authorization_code flow login:
https://keycloak.default.${domain}/auth/realms/verrazzano-system/protocol/openid-connect/auth?access_type=offline&client_id=argocd&code_challenge=_iH0t\
&code_challenge_method=S256 \
&redirect_uri=http%3A%2F%2Flocalhost%3A8085%2Fauth%2Fcallback&response_type=code \
&scope=openid+profile+email+groups+offline_access\
&state=QsRXxdXePwtCcBfLesfrtPLN4. User will be prompted to login using Verrazzano Single Sign On user and password through a basic Authorization Form.
5 . Keycloak will confirm that provided credentials match with an existing user under “verrazzano-system” realm. It also checks wether client_id=argocd exists and compares redirect_uri param value matches any entry in “Valid redirect URIs” list configured under argoCD openID connect client settings.
6. Keycloak responds with an authorization code.
7. Browser is redirected to http://localhost:8085 with this authorization_code. Note that ArgoCD cli starts a simple listening webserver on port 8085. It collects the authorization code passed down by a the browser which will be included in a new request sent to Keycloak. If the code is valid, the response to ArgoCD cli will include a JWT token and the end user will be presented with “Authentication successful” page.
At this point, ArgoCD cli stores an auth-token and refresh-token in the default config file at $HOME/.config/argocd/config
contexts:
- name: argocd.default.XXX
server: argocd.default.XXX
user: argocd.default.XXX
current-context: argocd.default.XXXX
servers:
- grpc-web-root-path: ""
insecure: true
server: argocd.default.XXXX
users:
- auth-token: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAi.....
name: argocd.default.XXXXX
refresh-token: eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiS......Now, here are the changes needed in “verrazzano-system” realm inside Keycloak to make sure authorization flow happens correctly.
What needs to change?
Login to your Keycloak admin console. Authenticate with keycloak admin user, not Verrazzano SSO user. Then, select “verrazzano-system” realm from realm drop down.
Next, go to Clients, and select argocd from Client list.
Under argocd Settings, go to “Valid redirect URIs”, and add a new entry with a value of http://localhost:8085/auth/callback .
Above step is key, otherwise you will run into “invalid parameter: redirect_uri” error.
Next, switch “Client Authentication” to public access from confidential access type by turning it off.
Why switching turning it off?
Here is an excerpt from Oauth 2 specification, which states the following:
OAuth defines two client types, based on their ability to
authenticate securely with the authorization server (i.e., ability to
maintain the confidentiality of their client credentials):
confidential
Clients capable of maintaining the confidentiality of their
credentials (e.g., client implemented on a secure server with
restricted access to the client credentials), or capable of secure
client authentication using other means.
public
Clients incapable of maintaining the confidentiality of their
credentials (e.g., clients executing on the device used by the
resource owner, such as an installed native application or a web
browser-based application), and incapable of secure client
authentication via any other means.
In ArgoCD cli case, it behaves as a client side application and it cannot safely store a secret, thus the use of public client type.
Be sure to save all changes.
Now you can run $> argocd login and then for example list servers registered in ArgoCD server from command line
[~]$ argocd login argocd.default.${DOMAIN} --sso
WARNING: server certificate had error: x509: certificate signed by unknown authority. Proceed insecurely (y/n)? y
Opening browser for authentication
Performing authorization_code flow login:
https://keycloak.default.${DOMAIN}/auth/realms/verrazzano-system/protocol/openid-connect/auth?access_type=offline \
&client_id=argocd \
&code_challenge=_fylBB0bgJwH89sYAAoPCJSKPXQUaqmSOluLd4rGKOs \
&code_challenge_method=S256
&redirect_uri=http%3A%2F%2Flocalhost%3A8085%2Fauth%2Fcallback
&response_type=code
&scope=openid+profile+email+groups+offline_access
&state=DVbOCHyapLrqwzPoIOoIaqDm
Authentication successful
'Verrazzano Admin' logged in successfully
Context 'argocd.default.XXXXXX' updated
[~]$ argocd cluster list --grpc-web
SERVER NAME VERSION STATUS MESSAGE PROJECT
https://kubernetes.default.svc in-cluster 1.24 Successful It should be working now!
This blog showed how to enable argoCD cli login with Single Sign On option. An additional redirect_uri to http://localhost:8085 is needed in argocd OIDC client and changing client type. Is important to note that this changes are ment for your Development Environment only.
