How to configure ArgoCD OIDC with Google Workspace in 5 simple steps
Updated: Oct 28, 2024
There are different ways to handle authentication in ArgoCD, but indeed using the admin password is not secure enough. For this reason, we’ll learn how to configure your ArgoCD to integrate with Google Workspace for Login. In this TeraTip we’ll cover one of the approaches for authentication, using groups from Google Workspace.
Before you get started…
In order to get the SSO working you need to have the SSL and URL for your server already configured, otherwise, you’ll get errors during the authentication.
Step # 1: Create the OAuth Screen
First, you create a project with any name you want and configure the OAuth screen as follows:
In the Authorized Domains section, it is important to configure the domain for the email your users have, in this case, we add the domain for our organization.
Finally, on the Scopes tab select the userinfo.profile and the openid scopes. Those are the scopes ArgoCD needs for the log in.
Step # 2: Create the OAuth Client ID
On the Credentials tab, click on + Create Credentials and OAuth client ID.
Then select on Application type, Web Application, and configure the JavaScript origins and redirect URIs. In the Authorized JavaScripts origins section, configure the root URL for your ArgoCD. Then in Authorized redirect URIs copy this URL but append the /api/dex/callback path.
Then click on Create and save your Client ID and Client Secret for later.
Step # 3: Configure the Service Account on Google Workspace
Now create the Service Account and configure the Domain Wide delegation, to make ArgoCD able to read the groups. On the Service Account section of the Google Console, we click on + CREATE SERVICE ACCOUNT. You only need to enter a name for the service account and enter any name you like.
Enter your service account, go to the Keys tab, click on Add Key, and select JSON as format. Save the keys, we will use them later for configuring the OIDC.
Step # 4: Set up Domain Wide delegation and enable Admin SDK
To close with the Google configuration you’ll now have to configure Domain Wide delegation and enable the Admin SDK. First head to the Google Cloud Admin console, and then go to Security, Access and data control, API controls, and, lastly, then click on manage domain-wide delegation.
Click on Add Client, and then on Client ID paste the Client ID of your service account, and on the scopes section paste this: https://www.googleapis.com/auth/admin.directory.group.readonly
Finally, head to https://console.cloud.google.com/apis/library/admin.googleapis.com and enable the Admin SDK for your project.
Step # 5: Configure ArgoCD
To configure the OIDC create two secrets on your cluster, one for the Client Secret we got on Step 2 and one for the JSON we got on Step 3.
For the client secret:
apiVersion: v1 kind: Secret metadata: name: argocd-cm-dex-secret namespace: argocd labels: app.kubernetes.io/part-of: argocd data: dex.google.clientSecret: CLIENT_SECRET_BASE64_ENCODED |
For the JSON:
apiVersion: v1 kind: Secret metadata: name: argocd-google-groups-json namespace: argocd data: googleAuth.json: JSON_FILE_BASE64_ENCODED |
Now if you are using the ArgoCD Helm Chart, you can use the following values, tested on version 5.27.1:
configs: cm: url: https://argocd.teracloud.io dex.config: | connectors: - config: redirectURI: https://argocd.teracloud.io/api/dex/callback clientID: HERE_YOUR_CLIENT_ID clientSecret: $argocd-cm-dex-secret:dex.google.clientSecret serviceAccountFilePath: /tmp/oidc/googleAuth.json adminEmail: email_used_for_the_domain_wide_delegation # A list of groups to add groups: - devops@teracloud.io type: google id: google name: Google dex: enabled: true volumeMounts: - mountPath: /tmp/oidc name: google-json readOnly: true volumes: - name: google-json secret: defaultMode: 420 secretName: argocd-google-groups-json |
Now you have your ArgoCD configured with Google SSO!
Juan Wiggenhauser
Cloud Engineer
Teracloud
