How to configure Argo login using Google or Jumpcloud

bySystem Engineer -
4




Here are detailed steps with configurations to apply for configuring Argo login using Google or JumpCloud:


1. Sign in to your Argo account: Visit the Argo website and log in to your account using your credentials.


2. Navigate to the Authentication Settings: Look for the authentication settings or access control settings within your Argo account. The location of these settings may vary based on the version or interface of Argo you are using.


3. Choose Google or JumpCloud as the authentication method: Select the option to use an external authentication provider and choose either Google or JumpCloud, depending on your preference.


4. Configure Google authentication:


   a. Set up an OAuth 2.0 client ID and client secret in the Google Developer Console:

      - Go to the Google Developer Console (https://console.developers.google.com).

      - Create a new project or select an existing project.

      - In the left sidebar, click on "Credentials" to create new credentials.

      - Select "OAuth client ID" as the credential type.

      - Choose "Web application" as the application type.

      - Enter a name for the OAuth client ID.

      - Add the authorized redirect URI specific to your Argo instance. It should be in the format: `https://your-argo-domain.com/api/v1/auth/callback`.

      - Save the OAuth client ID and client secret generated by Google.


   b. Enter the client ID and client secret in Argo:

      - In the authentication settings of Argo, locate the Google authentication section.

      - Enter the client ID and client secret obtained from the Google Developer Console.

      - Save the configuration changes.


5. Configure JumpCloud authentication:


   a. Set up JumpCloud as an identity provider (IdP) within Argo:

      - Obtain the necessary details from JumpCloud, including the IdP metadata URL, client ID, and client secret.

      - If JumpCloud does not provide a metadata URL, you may need to manually configure the IdP settings with the following information:

        - Issuer: `https://sso.jumpcloud.com/saml2/<JumpCloud-IdP-Entity-ID>`

        - SSO URL: `https://sso.jumpcloud.com/saml2/<JumpCloud-IdP-Entity-ID>`

        - Certificate: The certificate provided by JumpCloud.

      - Save the JumpCloud configuration details for the next step.


   b. Enter the JumpCloud details in Argo:

      - In the authentication settings of Argo, locate the JumpCloud authentication section.

      - Enter the JumpCloud IdP metadata URL or manually configure the IdP settings using the information obtained from JumpCloud.

      - Enter the client ID and client secret provided by JumpCloud.

      - Save the configuration changes.


6. Save and apply the configuration: After entering the required details for Google or JumpCloud authentication, save the settings and apply the configuration changes within Argo.


7. Test the login process: Visit the Argo login page and select the appropriate authentication method (Google or JumpCloud). Follow the prompts to log in using your Google or JumpCloud credentials. Ensure that the login process is successful and that users can authenticate using the chosen authentication provider.


Please note that the exact steps and configurations may differ based on your Argo version and the specific setup of Google or JumpCloud. It's advisable to consult Argo's documentation or support resources for more accurate and up-to-date instructions tailored to your environment.


What Worked!


Reference Links:

https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/google/

Step1: Created EKS cluster on Azure

my blog:https://ny55.blogspot.com/2021/05/deploy-kubernetes-cluster-using.html

Step2: Applied latest ArgoCD

Reference link: https://foxutech.medium.com/setup-argocd-on-azure-kubernetes-services-9c3fa543f4b6

Deploy ArgoCD on AKS

Before starting, we should create a dedicated namespace; let’s create a namespace for Argo CD to deploy all of its components.

# kubectl create namespace argocd
kubectl create namespace argocd
namespace/argocd created

 

Now we can install Argo CD in argocd namespace we created. This is quite simple; we can use Argo CD’s GitHub repository for the latest Argo CD operator. Use the below command to deploy it.

# kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml


Output: 
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
customresourcedefinition.apiextensions.k8s.io/applications.argoproj.io created
customresourcedefinition.apiextensions.k8s.io/applicationsets.argoproj.io created
customresourcedefinition.apiextensions.k8s.io/appprojects.argoproj.io created
serviceaccount/argocd-application-controller created
serviceaccount/argocd-applicationset-controller created
serviceaccount/argocd-dex-server created
serviceaccount/argocd-notifications-controller created
serviceaccount/argocd-redis created
serviceaccount/argocd-repo-server created
serviceaccount/argocd-server created
role.rbac.authorization.k8s.io/argocd-application-controller created
role.rbac.authorization.k8s.io/argocd-applicationset-controller created
role.rbac.authorization.k8s.io/argocd-dex-server created
role.rbac.authorization.k8s.io/argocd-notifications-controller created
role.rbac.authorization.k8s.io/argocd-server created
clusterrole.rbac.authorization.k8s.io/argocd-application-controller created
clusterrole.rbac.authorization.k8s.io/argocd-server created
rolebinding.rbac.authorization.k8s.io/argocd-application-controller created
rolebinding.rbac.authorization.k8s.io/argocd-applicationset-controller created
rolebinding.rbac.authorization.k8s.io/argocd-dex-server created
rolebinding.rbac.authorization.k8s.io/argocd-notifications-controller created
rolebinding.rbac.authorization.k8s.io/argocd-redis created
rolebinding.rbac.authorization.k8s.io/argocd-server created
clusterrolebinding.rbac.authorization.k8s.io/argocd-application-controller created
clusterrolebinding.rbac.authorization.k8s.io/argocd-server created
configmap/argocd-cm created
configmap/argocd-cmd-params-cm created
configmap/argocd-gpg-keys-cm created
configmap/argocd-notifications-cm created
configmap/argocd-rbac-cm created
configmap/argocd-ssh-known-hosts-cm created
configmap/argocd-tls-certs-cm created
secret/argocd-notifications-secret created
secret/argocd-secret created
service/argocd-applicationset-controller created
service/argocd-dex-server created
service/argocd-metrics created
service/argocd-notifications-controller-metrics created
service/argocd-redis created
service/argocd-repo-server created
service/argocd-server created
service/argocd-server-metrics created
deployment.apps/argocd-applicationset-controller created
deployment.apps/argocd-dex-server created
deployment.apps/argocd-notifications-controller created
deployment.apps/argocd-redis created
deployment.apps/argocd-repo-server created
deployment.apps/argocd-server created
statefulset.apps/argocd-application-controller created
networkpolicy.networking.k8s.io/argocd-application-controller-network-policy created
networkpolicy.networking.k8s.io/argocd-applicationset-controller-network-policy created
networkpolicy.networking.k8s.io/argocd-dex-server-network-policy created
networkpolicy.networking.k8s.io/argocd-notifications-controller-network-policy created
networkpolicy.networking.k8s.io/argocd-redis-network-policy created
networkpolicy.networking.k8s.io/argocd-repo-server-network-policy created
networkpolicy.networking.k8s.io/argocd-server-network-policy created

Once all is completed, you can list all the resources created in argocd namespace.

 

kubectl patch svc argocd-server -n argocd --type=json -p='[{"op": "replace", "path": "/spec/type", "value": "LoadBalancer"}]'
service/argocd-server patched

 

kubectl get svc -n argocd

 

NAME                                      TYPE           CLUSTER-IP     EXTERNAL-IP    PORT(S)                      AGE
argocd-applicationset-controller          ClusterIP      10.0.60.123    <none>         7000/TCP,8080/TCP            2m38s
argocd-dex-server                         ClusterIP      10.0.126.47    <none>         5556/TCP,5557/TCP,5558/TCP   2m38s
argocd-metrics                            ClusterIP      10.0.112.207   <none>         8082/TCP                     2m37s
argocd-notifications-controller-metrics   ClusterIP      10.0.102.189   <none>         9001/TCP                     2m36s
argocd-redis                              ClusterIP      10.0.216.47    <none>         6379/TCP                     2m35s
argocd-repo-server                        ClusterIP      10.0.11.207    <none>         8081/TCP,8084/TCP            2m35s
argocd-server                             LoadBalancer   10.0.216.254   20.124.63.65   80:32535/TCP,443:31416/TCP   2m34s
argocd-server-metrics                     ClusterIP      10.0.223.255   <none>         8083/TCP                     2m33s


Login Using The CLI



The initial password for the admin account is auto-generated and stored as clear text in the field password in secret named argocd-initial-admin-secret in your Argo CD installation namespace. You can simply retrieve this password using kubectl:

# kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d; echo



Step3: Create A Domain & A record









https://dash.cloudflare.com/6de0854b30e5a09cb818a1e208122044


Step4: Apply configurations from recommended docs


Followed OpenID Connect using Dex

https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/google/

https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#sso

https://github.com/argoproj/argo-cd/discussions/10658#discussioncomment-5127266

kubectl apply -f 

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-rbac-cm
  namespace: argocd
data:
  policy.default: role:readonly

apiVersion: v1
kind: ConfigMap
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app.kubernetes.io/name":"argocd-cm","app.kubernetes.io/part-of":"argocd"},"name":"argocd-cm","namespace":"argocd"}}
  creationTimestamp: "2023-06-14T06:10:13Z"
  labels:
    app.kubernetes.io/name: argocd-cm
    app.kubernetes.io/part-of: argocd
  name: argocd-cm
  namespace: argocd
  resourceVersion: "4000"
  uid: 4702c9ba-8cc9-42e1-b8cb-5041c48efe9e
data:
  url: https://argo.colliycool.com
  dex.config: |
    logger:
      level: debug
    connectors:
    - config:
        issuer: https://accounts.google.com
        clientID: 415002253838-guolcd66q71eeip9cafoa88ql8a3k6rm.apps.googleusercontent.com
        clientSecret: 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
      type: oidc
      id: google
      name: Google
      
    - type: saml
      id: jumpcloud
      name: JumpCloud
      config:
        ssoURL: https://sso.jumpcloud.com/saml2/argo
        caData: |
          LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlGZkRDQ0EyU2dBd0lCQWdJVWF0YXJRaTBlU2ZJcEVtYUFsN0h0RUlYTWt5WXdEUVlKS29aSWh2Y05BUUVMDQpCUUF3ZURFTE1Ba0dBMVVFQmhNQ1ZWTXhDekFKQmdOVkJBZ1RBa05QTVJBd0RnWURWUVFIRXdkQ2IzVnNaR1Z5DQpNUk13RVFZRFZRUUtFd3BqYjJ4c2FYbGpiMjlzTVJrd0Z3WURWUVFMRXhCS2RXMXdRMnh2ZFdSVFFVMU1TV1JRDQpNUm93R0FZRFZRUURFeEZLZFcxd1EyeHZkV1JUUVUxTVZYTmxjakFlRncweU16QTJNVFF4T1RFMk16VmFGdzB5DQpPREEyTVRReE9URTJNelZhTUhneEN6QUpCZ05WQkFZVEFsVlRNUXN3Q1FZRFZRUUlFd0pEVHpFUU1BNEdBMVVFDQpCeE1IUW05MWJHUmxjakVUTUJFR0ExVUVDaE1LWTI5c2JHbDVZMjl2YkRFWk1CY0dBMVVFQ3hNUVNuVnRjRU5zDQpiM1ZrVTBGTlRFbGtVREVhTUJnR0ExVUVBeE1SU25WdGNFTnNiM1ZrVTBGTlRGVnpaWEl3Z2dJaU1BMEdDU3FHDQpTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUtBb0lDQVFDb0RydUkvVXB0RlpHU0xDaktXN3ZTSUc5VWEyUzdobGMrDQp5WVU2TUtPQlRTNW9ZTi80M1RKN082N0JIUXpiV2NLUXJtZWxwcVN0U3ZlYUZ4ZHhUeHZJZjFyS2c5b00xMlVHDQpUME1McU8zMTJ1U3VCZGVRSXVHd0ZQRGdGTkR2NlZNRDBNNnRYdmI2Qk1Ic2FrSlphanJsSlIvTVlOZHdXdHE2DQpndlNJU0UzNnIwa0IvRVZaU0Z4cmxiVkE4QjZ5NnFSR1dldDBDRFNFdG5ReWdHUkxtSGNhMjB0WEhYcEZOLzJ3DQp1QXlXMWo1RUpBNXdXclptQWo3YndBcHk3Y2FiSTcyUkZsSHgvS3NOUHJFVXZJcjJhWitvdlB4amFMZlVpeW5RDQp4TmpIVU10dlEvR2swUHZ2emNWckhGMFNtd3FoUDVQZGhDeGVQT3NvSkJseGhjNmVQUDFXUTFGTGJwdkNBaXRKDQpReHh4R1pSbnNBY2RRMlBuUHNjZFptZGlXMW9ZSnFWNE11M2wyeFRCUW9RR0tIZGhQTlVOY3JaRFg2TkM5ejdyDQprUE1lZHZxZ0N5YkZXWXpvZU1GdFpXWXF2UGpIL3hlNlJEQnVrZTRSWFlVOE52WEN5cCt2UHNUZ2FXOEZiNVoyDQoxNnhodlpFaXkzV0djQUlEd3duOUxxTlBzS3l2Q2ppaDBzQi9WTW5CVW1GL2VJRjRieXh4RWtERk1EaW1kSWM4DQpuSVp5UitnaUtIY3FRdUNBSHlFbzR3QXNSUm0vMm9RUE5LbjEyR0lDS1d4djhqaWg2VWV3VHlXTDhycGRFQ0l6DQpKb2tPM3FKUytxKzYvcGRCQkYzc3hMeU15N0NORW5pSkhFNXh3bmtoYjJrdlZqb0lpM0lnVmJXMGhEdkRhNHNzDQpHQ3ZGcXpNVUJ3SURBUUFCTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElDQVFBV01OUFI5ZC9xNks4UnppOXcvb3NuDQoxY0dHWHd2MExrQjZuNENMVmhZWTRVVUlBTkFwWXlkUUxYalpGK3p1amtxLzIyM0Q3RTZacnNLdlhpNVpZTzdWDQpzMEdZT0Y2d2V1V0M2UlhST0hIZ2M2ME0zYWVpajF5Z2RnenlBYXJaSURCUCtXdVlKdzBsL3owa2ZLY045NmlpDQovbmdFUjRlOUYxdkkzeXZ6NVYrV2ZRakZZdnVXc0FIVStoMWlyb2Nlbys2cXBvM1pkNDV5SjJETlMyaFdPeUQ4DQpzMkZmWFBvVi9yakhiT2oyRDg3em9NL3RoTVZXOWtzdTJrZDZmdTVZdXVacW1tNnZhZW9XOXlMNXN6dC9Zb3k4DQpXdUhmT2w4dlkxSzdMZS9vMEdSNzN3ekxBWFlRcG8zaTNydFNtZHFCdUhuTEJwajhZckhoanAwZXErYU8zQ2cvDQo4WEdXZzltWk5GR0FDMUV3Q2JvYmc2d1pleHgyMFh0cGxOL3VrMjNRTTVuWWJ0NmN4N2lhMGYyRlFqamhUb0xaDQpaV1B6WmFCRW5IWGZCVWFOMGo1cTlGd2kzcFJjSEJzcEJWNm5aUEk0SHZSUHhZOXRYc3BTT0JQdnhoZTNobGxuDQp5ZFVheUg2RWJ2dWxEV0NuZFhHYjJjeGMyMDk2eDI3bGJrT0ZOalNjZEFSNmljdzB6aTRpTEwweFB4WE9EY1QxDQpldDRHTm9ac2V4ZzNnaFJkTzdDNk5pMDlmVHBsb1J6NllvcEgyYVJsUzZ3NVVqL1E2OWRSQkxIZjhUejNJU3BBDQphUFVzdmtWS2tQWkpnY1JrRFF3ZUMvOWFtakg4OU1CNXRHVm5hS3Y5d3VIYlRHVEVjMW9qRHdFSU5Ka1BPM1d0DQpIaEpieWtCc05wN1F1Rys2SVJBY1d3PT0NCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0NCg==
        usernameAttr: username
        emailAttr: email
        groupsAttr: memberOf

Here's a Google side of settings:
















OpenID Connect using Dex


Configure your OAuth consent screen.


If you've never configured this, you'll be redirected straight to this if you try to create an OAuth Client ID

  1. Go to your OAuth Consent configuration. If you still haven't created one, select Internal or External and click Create

  2. Go and edit your OAuth consent screen. Verify you're in the correct project!

  3. Configure a name for your login app and a user-support email address

  4. The app logo and filling the information links is not mandatory, but it's a nice touch for the login page

  5. In "Authorized domains" add the domains who are allowed to log in to ArgoCD (e.g. if you add example.com, all Google Workspace users with an @example.com address will be able to log in)

  6. Save to continue to the "Scopes" section

  7. Click on "Add or remove scopes" and add the .../auth/userinfo.profile and the openid scopes

  8. Save, review the summary of your changes and finish

Configure a new OAuth Client ID

  1. Go to your Google API Credentials console and ensure you're in the correct project.

  2. Click on "+Create Credentials"/"OAuth Client ID"

  3. Select "Web Application" in the Application Type drop down menu, and enter an identifying name for your app (e.g. Argo CD)

  4. Fill "Authorized JavaScript origins" with your Argo CD URL, e.g. https://argocd.example.com

  5. Fill "Authorized redirect URIs" with your Argo CD URL plus /api/dex/callback, e.g. https://argocd.example.com/api/dex/callback

  6. Click "Create" and save your "Client ID" and your "Client Secret" for later

Configure Argo to use OpenID Connect


Edit argocd-cm and add the following dex.config to the data section, replacing clientID and clientSecret with the values you saved before:


data:
  url: https://argocd.example.com
  dex.config: |
    connectors:
    - config:
        issuer: https://accounts.google.com
        clientID: XXXXXXXXXXXXX.apps.googleusercontent.com
        clientSecret: XXXXXXXXXXXXX
      type: oidc
      id: google
      name: Google

Here's a JumpCloud config that worked for me:







logger:
  level: debug
connectors:
  - type: saml
    id: jumpcloud
    name: JumpCloud
    config:
      ssoURL: https://sso.jumpcloud.com/saml2/argo
      caData: |
        <your base64 encoded certificate data>
      usernameAttr: username
      emailAttr: email
      groupsAttr: memberOf

On the JumpCloud side, I set the following fields on the SSO tab of my app:

Name

Value

Notes

IdP Entity ID

https://argo.colliycool.com/api/dex/callback

Dex callback endpoint of your Argo CD server

SP Entity ID

https://argo.colliycool.com/api/dex/callback

Dex callback endpoint of your Argo CD server

ACS URL

https://argo.colliycool.com/api/dex/callback

Dex callback endpoint of your Argo CD server

IDP URL

https://sso.jumpcloud.com/saml2/argo

Corresponds with ssoURL above

JumpCloud doesn't seem to send any attributes by default, which will probably result in Failing to authenticate: the response did not contain an AttributeStatement in your Dex logs. I fixed this by going into the SSO tab of my app and setting the following attributes:

Service Provider Attribute Name

JumpCloud Attribute Name

Notes

username

username

Corresponds with usernameAttr above

email

email

Corresponds with emailAttr above

I also enabled "include group attribute" under "GROUP ATTRIBUTES" with a value of memberOf (to match the groupsAttr above). This is needed to use JumpCloud's groups in your RBAC config.

Download the cert data and convert it into base64 for Configmap content

Step5: Restart Deployment after creating new config map

 kubectl get cm argocd-cm -o yaml > backup_argocd-cm.yaml;
 kubectl delete cm argocd-cm;
 kubectl apply -f 1.yaml;
 kubectl rollout restart deployment argocd-server -n argocd
 
configmap "argocd-cm" deleted
configmap/argocd-cm created
deployment.apps/argocd-server restarted
Tags:

4 Comments

Previous Post Next Post