This document describes the usage of Keycloak as a Single sign-on provider for ArgoCD in OpenShift Container Platform. Keycloak acts as an Identity broker between ArgoCD and OpenShift, Which means one can also login into Argo CD using their OpenShift credentials.
The following example shows the most minimal valid manifest to create a new Argo CD cluster with keycloak as a Single sign-on provider.
apiVersion: argoproj.io/v1alpha1 kind: ArgoCD metadata: name: example-argocd labels: example: basic spec: sso: provider: keycloak server: route: enabled: true
If your keycloak is setup with a certificate which is not signed by one of the well known certificate authorities you can provide a custom certificate which will be used in verifying the Keycloak's TLS certificate when communicating with it.
Add the rootCA to your Argo CD custom resource
.spec.sso.keycloak.rootCA field. The operator reconciles to this change and updates the
argocd-cm configmap with the PEM encoded root certificate.
Argo CD server pod should be restarted after updating the
Please refer to the below example:
apiVersion: argoproj.io/v1alpha1 kind: ArgoCD metadata: name: example-argocd labels: example: basic spec: sso: provider: keycloak keycloak: rootCA: | ---- BEGIN CERTIFICATE ---- This is a dummy certificate Please place this section with appropriate rootCA ---- END CERTIFICATE ---- server: route: enabled: true
.spec.sso.verifyTLS fields are no longer supported in Argo CD operator v0.8.0 onwards. Please use equivalent fields under
.spec.sso.keycloak to configure your keycloak instance.
Create a new Argo CD Instance in the
argocd namespace using the provided example.
kubectl create -n argocd -f examples/argocd-keycloak.yaml
The above configuration creates a keycloak instance and its relevant resources along with the Argo CD resources. Users can login into the keycloak console using the below commands.
Get the Keycloak Route URL for Login.
kubectl -n argocd get route keycloak
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD keycloak keycloak-default.apps.ci-ln-******.origin-ci-int-aws.dev.**.com keycloak <all> reencrypt None
Get the Keycloak Credentials which are stored as environment variables in the keycloak pod.
Get the Keycloak Pod name.
kubectl -n argocd get pods
NAME READY STATUS RESTARTS AGE keycloak-1-2sjcl 1/1 Running 0 45m
Get the Keycloak Username.
kubectl -n argocd exec keycloak-1-2sjcl -- "env" | grep SSO_ADMIN_USERNAME
Get the Keycloak Password.
kubectl -n argocd exec keycloak-1-2sjcl -- "env" | grep SSO_ADMIN_PASSWORD
You can see an option to Log in via keycloak apart from the usual ArgoCD login.
Click on LOGIN VIA KEYCLOAK. You will see two different options for login as shown below. The one on the left will allow you to login into argo cd via keycloak username and password. The one on the right will allow you to login into argo cd using your openshift username and password.
You can create keycloak users by logging in to keycloak admin console using the Keycloak admin credentials.
Keycloak instance takes 2-3 minutes to be up and running. You will see the option LOGIN VIA KEYCLOAK only after the keycloak instance is up.
By default any user logged into ArgoCD will have read-only access. User level access can be managed by updating the
Group Level RBAC¶
The below example shows how to grant admin access to a group with name
cluster-admins. More information regarding ArgoCD RBAC can be found here
policy.csv: | g, cluster-admins, role:admin
User Level RBAC¶
If you wish to configure RBAC for users instead of groups, consider the below example.
Example shows how to grant admin access to User foobar with email ID
firstname.lastname@example.org. More information regarding ArgoCD RBAC can be found here
policy.csv: | g, email@example.com, role:admin
Change Keycloak Admin Password¶
You can change the Keycloak Admin Password that is created by the operator as shown below.
Login to the Keycloak Admin Console using the Admin user as described in the above section. Click on the user drop-down at the top right and click on the
Click on the
Password tab to update the Keycloak Admin Password.
You can delete the Keycloak resources and its relevant configuration by removing the SSO field from ArgoCD Custom Resource Spec.
Example ArgoCD after removing the SSO field should look something like this.
apiVersion: argoproj.io/v1alpha1 kind: ArgoCD metadata: name: example-argocd labels: example: basic spec: server: route: enabled: true
Note: Keycloak application created by this feature is currently not persistent. Incase of restarts, Any additional configuration created by the users in ArgoCD Keycloak realm will be deleted.