Open in app

Sign in

Write

Sign in

Argo CD Ldap Authentication And RBAC Configuration

Burak Kurt
Yapı Kredi Teknoloji
Published in
5 min readFeb 3, 2021

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It’s straightforward to install and use. So that it is so popular.

There are several options to install Argo CD. I prefer Helm Chart to install Argo CD because It is useful to make some modifications and also more suitable for on-prem environments.

If you have already installed Argo CD and you just need to configure it for LDAP authentication you can skip the installation part below and go to the configuration part directly.

1. Install Argo CD using Helm Chart

Argo CD Helm chart is a community-maintained chart that can be found here.

argoproj/argo-helm

A Helm chart for ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes. Source code can be found here…

github.com

To install the chart, run the commands below. If you want to customize your installation, you can modify values.yaml file before running helm install.

$ kubectl create namespace argocd$ helm repo add argo https://argoproj.github.io/argo-helm
"argo" has been added to your repositories

$ helm install --name argocd argo/argo-cd --namespace argocd
NAME: argocd
...

After installation complete pods should look like the below.

$ kubectl -n argocd get pods
NAME                                             READY   STATUS 
argocd-application-controller-564ddd995d-z4fvj   1/1     Running
argocd-dex-server-64ddd5b4df-j8pvt               1/1     Running
argocd-redis-ha-haproxy-9f44649d8-47jg7          1/1     Running
argocd-redis-ha-haproxy-9f44649d8-h7fjv          1/1     Running
argocd-redis-ha-haproxy-9f44649d8-qph4t          1/1     Running
argocd-redis-ha-server-0                         3/3     Running
argocd-redis-ha-server-1                         3/3     Running
argocd-redis-ha-server-2                         3/3     Running
argocd-repo-server-85459559cd-dmkhj              1/1     Running
argocd-server-6c8bc7b5dc-9tmrw                   1/1     Running

Also, a configmap called argocd-cm should be created. That is the file we are going to modify to enable ldap authentication.

$ kubectl -n argocd get configmaps 
NAME                        DATA   AGE
argocd-cm                   4      5m
...

2. LDAP Configuration

Argo CD does not have built-in ldap support. However, it embeds and bundles Dex as part of its installation, for the purpose of delegating authentication to an external identity provider. Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Multiple types of identity providers are supported (OIDC, SAML, LDAP, GitHub, etc…).

To enable ldap authentication we have to add dex.config to configmap called argocd-cm. Dex server read dex.config field in argocd-cm configmap.

First of all, create a file that contains ldap configuration like below.

cat << EOF > patch-dex.yaml                  
apiVersion: v1
data:
  dex.config: |
    connectors:
    - type: ldap
      name: myad.local
      id: ad
      config:
        # Ldap server address
        host: ldaps.myad.local:636
        insecureNoSSL: false
        insecureSkipVerify: true
        # Variable name stores ldap bindDN in argocd-secret
        bindDN: "$dex.ldap.bindDN"
        # Variable name stores ldap bind password in argocd-secret
        bindPW: "$dex.ldap.bindPW"
        usernamePrompt: Username
        # Ldap user serch attributes
        userSearch:
          baseDN: "DC=mydomain,DC=local"
          filter: ""
          username: sAMAccountName
          idAttr: distinguishedName
          emailAttr: mail
          nameAttr: displayName
        # Ldap group serch attributes
        groupSearch:
          baseDN: "DC=mydomain,DC=local"
          filter: ""
          userAttr: distinguishedName
          groupAttr: member
          nameAttr: name
EOF

Patch argocd-cm configmap with the file you created.

$ kubectl -n argocd patch configmaps argocd-cm \ 
--patch "$(cat patch-dex.yaml)"

We have preferred to use variables for parameters bindDN and bindPW in dex.config instead of writing this sensitive information directly into argocd-cm configmap. Variables dex.ldap.bindDN and dex.ldap.bindPW are defined in argocd-secret.

dex.ldap.bindDN and dex.ldap.bindPW variables can be set using kubectl patch command below.

$ kubectl -n argocd patch secrets argocd-secret --patch \ 
"{\"data\":{\"dex.ldap.bindPW\":\"$(echo my-password | base64 -w 0)\"}}"$ kubectl -n argocd patch secrets argocd-secret --patch \ 
"{\"data\":{\"dex.ldap.bindDN\":\"$(echo CN=ldapuser,OU=Service Accounts,OU=Resource,DC=mydomain,DC=local | base64 -w 0)\"}}"

After patching argocd-cm and argocd-secret, restart dex and server pods and wait until they are ready.

$ kubectl -n argocd delete pod argocd-dex-server-xxxxxxxxxx-xxxxx
$ kubectl -n argocd delete pod argocd-server-xxxxxxxxxx-xxxxx

Browse the argocd-server ingress address or external service IP. Ldap login is available now.

3. Configure RBAC for Ldap

After configuring dex ldap authentication successfully we can create rbac policies. Rbac configuration is stored in argocd-rbac-cm configmap. Detailed information can be found on Argo CD official rbac documentation page.

Argo CD has two pre-defined roles below.

  • role:readonly - read-only access to all resources
  • role:admin - unrestricted access to all resources

The anonymous access can be enabled using user.anonymous.enabled field in argocd-cm. The anonymous users get default role permissions specified by policy.default in argocd-rbac-cm. For read-only access, you can set policy.default: role:readonly. But in the example below, we prefer to have more security by setting policy.default: role:none and setting up a deny policy for role:none in policy.csv field. So, the default behavior is giving no access to any resource in Argo CD.

In the policy.csv field there are also two policy rules. One of them gives readonly acces for ldap group called Developers Ldap Group. Other rule gives admin rights to ldap user called myLdapUser.

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-rbac-cm
  namespace: argocd
data:
  policy.default: role:none
  scopes: '[groups, email]'
  policy.csv: |
    p, role:none, *, *, */*, deny
    g, Developers Ldap Group, role:readonly
    g, myLdapUser, role:admin

Another policy.csv example taken from Argo CD official documentation can be found below. In this example, a custom role called stating-db-admins was created with seven permissions that allow performing the actions (create/delete/get/override/sync/update applications, and get appprojects) against * (all) objects in the staging-db-admins Argo CD AppProject.

p, role:staging-db-admins, applications, create, staging-db-admins/*, allow 
p, role:staging-db-admins, applications, delete, staging-db-admins/*, allow 
p, role:staging-db-admins, applications, get, staging-db-admins/*, allow 
p, role:staging-db-admins, applications, override, staging-db-admins/*, allow 
p, role:staging-db-admins, applications, sync, staging-db-admins/*, allow 
p, role:staging-db-admins, applications, update, staging-db-admins/*, allow 
p, role:staging-db-admins, projects, get, staging-db-admins, allow g, db-admins, role:staging-db-admins

Conclusion

To sum up, Argo CD is a powerful and straightforward continues delivery tool for Kubernetes. It is very popular in the community and the number of Argo CD users is increasing day to day. To enable developers and other colleges on Kubernetes environment and increase productivity setting up authentication and RBAC policies arevery important. Ldap integration is one of the ways to achieve this task. In this article installation of Argo CD and the configuration of Ldap authentication and RBAC policies are described by providing examples.

Argo Cd
Kubernetes
Continuous Delivery
Infrastructure

--

--

Burak Kurt
Yapı Kredi Teknoloji

Written by Burak Kurt

123 Followers
Writer for

SRE | DevOps | Kubernetes | CKS | CKA | CKAD | linkedin.com/in/burakkurt

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams