OpenUnison

Integrating OpenUnison and ArgoCD

These instructions will take your through the steps of integrating OpenUnison and ArgoCD to support single sign-on and add a “badge” to your OpenUnison portal to create a single access point for both Kubernetes and ArgoCD. These instructions assume you’ll be using both ArgoCD’s web interface and command line interface. These instructions assume you are running OpenUnison 1.0.20+.

OpenUnison Portal with ArgoCD

Create an OpenUnison Trust

Update the below Trust object and add it to the openunison namespace. The only change you need to make is to replace argocd.apps.domain.com with the host name of your ArgoCD URL. The localhost URL is needed for the cli to work. There is no client secret used for ArgoCD since the cli will not work with it.

  1. apiVersion: openunison.tremolo.io/v1
  2. kind: Trust
  3. metadata:
  4. name: argocd
  5. namespace: openunison
  6. spec:
  7. accessTokenSkewMillis: 120000
  8. accessTokenTimeToLive: 1200000
  9. authChainName: LoginService
  10. clientId: argocd
  11. codeLastMileKeyName: lastmile-oidc
  12. codeTokenSkewMilis: 60000
  13. publicEndpoint: true
  14. redirectURI:
  15. - https://argocd.apps.domain.com/auth/callback
  16. - http://localhost:8085/auth/callback
  17. signedUserInfo: true
  18. verifyRedirect: true

Create a “Badge” in OpenUnison

Download the yaml for a PortalUrl object and update the url to point to your ArgoCD instance. Add the updated PortalUrl to the openunison namespace of your cluster.

Configure SSO in ArgoCD

Next, update the argocd-cm ConfigMap in the argocd namespace. Add the url and oidc.config sections as seen below. Update issuer with the host for OpenUnison.

  1. apiVersion: v1
  2. kind: ConfigMap
  3. metadata:
  4. name: argocd-cm
  5. data:
  6. url: https://argocd.apps.domain.com
  7. oidc.config: |-
  8. name: OpenUnison
  9. issuer: https://k8sou.apps.192-168-2-144.nip.io/auth/idp/k8sIdp
  10. clientID: argocd
  11. requestedScopes: ["openid", "profile", "email", "groups"]

If everything went correctly, login to your OpenUnison instance and there should be a badge for ArgoCD. Clicking on that badge opens ArgoCD in a new window, already logged in! Additionally, launching the argocd cli tool will launch a browser to login to OpenUnison.

Configure ArgoCD Policy

OpenUnison places groups in the groups claim. These claims will show up when you click on the user-info section of the ArgoCD portal. If you’re using LDAP, Active Directory, or Active Directory Federation Services the groups will provided to ArgoCD as full Distinguished Names (DN). Since a DN containers commas (,) you’ll need to quote the group name in your policy. For instance to assign CN=k8s_login_cluster_admins,CN=Users,DC=ent2k12,DC=domain,DC=com as an administrator would look like:

  1. apiVersion: v1
  2. kind: ConfigMap
  3. metadata:
  4. name: argocd-rbac-cm
  5. namespace: argocd
  6. data:
  7. policy.csv: |
  8. g, "CN=k8s_login_cluster_admins,CN=Users,DC=ent2k12,DC=domain,DC=com", role:admin