Keycloak

Integrating Keycloak and ArgoCD

These instructions will take you through the entire process of getting your ArgoCD application authenticating with Keycloak. You will create a client within Keycloak and configure ArgoCD to use Keycloak for authentication, using groups set in Keycloak to determine privileges in Argo.

Creating a new client in Keycloak

First we need to setup a new client. Start by logging into your keycloak server, select the realm you want to use (master by default) and then go to Clients and click the create button top right.

Keycloak add client

Configure the client by setting the Access Type to confidential and set the Valid Redirect URIs to the callback url for your ArgoCD hostname. It should be https://{hostname}/auth/callback (you can also leave the default less secure https://{hostname}/\* ). You can also set the Base URL to /applications.

Keycloak configure client

Make sure to click Save. You should now have a new tab called Credentials. You can copy the Secret that we’ll use in our ArgoCD configuration.

Keycloak client secret

Configuring the groups claim

In order for ArgoCD to provide the groups the user is in we need to configure a groups claim that can be included in the authentication token. To do this we’ll start by creating a new Client Scope called groups.

Keycloak add scope

Once you’ve created the client scope you can now add a Token Mapper which will add the groups claim to the token when the client requests the groups scope. Make sure to set the Name as well as the Token Claim Name to groups.

Keycloak groups mapper

We can now configure the client to provide the groups scope. You can now assign the groups scope either to the Assigned Default Client Scopes or to the Assigned Optional Client Scopes. If you put it in the Optional category you will need to make sure that ArgoCD requests the scope in it’s OIDC configuration.

Keycloak client scope

Since we will always want group information, I recommend using the Default category. Make sure you click Add selected and that the groups claim is in the correct list on the right.

Keycloak client scope selected

Create a group called ArgoCDAdmins and have your current user join the group.

Keycloak user group

Configuring ArgoCD OIDC

Let’s start by storing the client secret you generated earlier in the argocd secret argocd-secret.

  1. First you’ll need to encode the client secret in base64: $ echo -n '83083958-8ec6-47b0-a411-a8c55381fbd2' | base64
  2. Then you can edit the secret and add the base64 value to a new key called oidc.keycloak.clientSecret using $ kubectl edit secret argocd-secret.

Your Secret should look something like this:

  1. apiVersion: v1
  2. kind: Secret
  3. metadata:
  4. name: argocd-secret
  5. data:
  6. ...
  7. oidc.keycloak.clientSecret: ODMwODM5NTgtOGVjNi00N2IwLWE0MTEtYThjNTUzODFmYmQy
  8. ...

Now we can configure the config map and add the oidc configuration to enable our keycloak authentication. You can use $ kubectl edit configmap argocd-cm.

Your ConfigMap should look like this:

  1. apiVersion: v1
  2. kind: ConfigMap
  3. metadata:
  4. name: argocd-cm
  5. data:
  6. url: https://argocd.example.com
  7. oidc.config: |
  8. name: Keycloak
  9. issuer: https://keycloak.example.com/realms/master
  10. clientID: argocd
  11. clientSecret: $oidc.keycloak.clientSecret
  12. requestedScopes: ["openid", "profile", "email", "groups"]

Make sure that: - issuer ends with the correct realm (in this example master) - issuer on Keycloak releases older than version 17 the URL must include /auth (in this expample /auth/realms/master) - clientID is set to the Client ID you configured in Keycloak - clientSecret points to the right key you created in the argocd-secret Secret - requestedScopes contains the groups claim if you didn’t add it to the Default scopes

Configuring ArgoCD Policy

Now that we have an authentication that provides groups we want to apply a policy to these groups. We can modify the argocd-rbac-cm ConfigMap using $ kubectl edit configmap argocd-rbac-cm.

  1. apiVersion: v1
  2. kind: ConfigMap
  3. metadata:
  4. name: argocd-rbac-cm
  5. data:
  6. policy.csv: |
  7. g, ArgoCDAdmins, role:admin

In this example we give the role role:admin to all users in the group ArgoCDAdmins.

Login

You can now login using our new Keycloak OIDC authentication:

Keycloak ArgoCD login