32 ‐ ArgoCD Authentication With Github - CloudScope/DevOpsWithCloudScope GitHub Wiki

Overview

ArgoCD supports Single Sign-On (SSO) authentication via OAuth providers, including GitHub. This allows users to log in using their GitHub accounts and leverage GitHub organizations/teams for role-based access control (RBAC) in ArgoCD.

Prerequisites

• A running ArgoCD instance.
• Admin access to the GitHub organization.
• Admin access to the ArgoCD instance.
• argocd CLI installed (optional but recommended).

Step 1: Create an OAuth App in GitHub

1. Go to GitHub Developer Settings: [GitHub OAuth Apps](https://github.com/settings/developers)
2. Click New OAuth App.
3. Fill in the required details:
   • Application Name: ArgoCD SSO
   • Homepage URL: https://argocd.example.com
   • Authorization Callback URL: https://argocd.example.com/auth/callback
4. Click Register Application.
5. Copy the Client ID and Client Secret.

Step 2: Configure ArgoCD to Use GitHub OAuth

1. Edit the argocd-cm ConfigMap:

   kubectl -n argocd edit configmap argocd-cm
   

2. Add the following OAuth configuration:

   apiVersion: v1
   kind: ConfigMap
   metadata:
     name: argocd-cm
   data:
     url: https://argocd.example.com
     oidc.config: |
       name: GitHub
       issuer: https://github.com/login/oauth
       clientID: <your-client-id>
       clientSecret: <your-client-secret>
       redirectURI: https://argocd.example.com/auth/callback
       requestedScopes: ["user:email", "read:org"]
   

3. Save and exit the editor.
4. Restart the ArgoCD server:

   kubectl -n argocd rollout restart deployment argocd-server
   

Step 3: Configure RBAC in ArgoCD

1. Edit the argocd-rbac-cm ConfigMap:

   kubectl -n argocd edit configmap argocd-rbac-cm
   

2. Define roles based on GitHub organizations or teams:

   apiVersion: v1
   kind: ConfigMap
   metadata:
     name: argocd-rbac-cm
   data:
     policy.default: "role:readonly"
     policy.csv: |
       p, role:admin, applications, *, */*, allow
       g, github:my-org:admins, role:admin
       g, github:my-org:devs, role:readonly
   

   • Replace my-org with your GitHub organization name.
   • Adjust roles (admin, readonly, etc.) as needed.
3. Save and exit the editor.
4. Restart the ArgoCD server again:

   kubectl -n argocd rollout restart deployment argocd-server
   

Step 4: Verify Authentication

1. Go to your ArgoCD UI (https://argocd.example.com).
2. Click Log in via GitHub.
3. Authorize the application when prompted.
4. You should now be logged in based on your GitHub organization/team permissions.

Troubleshooting

• Invalid Client ID/Secret: Ensure the correct values are configured in argocd-cm.
• User unauthorized: Check argocd-rbac-cm for correct role mappings.
• Callback URL mismatch: Ensure GitHub OAuth settings match the redirectURI.

Conclusion

Configuring GitHub authentication with ArgoCD enhances security and simplifies user management by leveraging GitHub teams and organizations. This setup allows for seamless integration of authentication and RBAC, improving access control for your deployments.