Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oidc secret #374

Open
castleadmin opened this issue Jul 19, 2021 · 2 comments
Open

oidc secret #374

castleadmin opened this issue Jul 19, 2021 · 2 comments
Labels
enhancement New feature or request good first issue Good for newcomers

Comments

@castleadmin
Copy link

Is your feature request related to a problem? Please describe.
On the page https://argocd-operator.readthedocs.io/en/latest/usage/basics/#secrets it is stated:

There is a Secret that is used by Argo CD named argocd-secret. The argocd-server component reads this secret to obtain the admin password for authentication.
This Secret is managed by the operator and should not be changed directly.

For the configuration of OIDC the secret 'argocd-secret' has to be changed:
https://argoproj.github.io/argo-cd/operator-manual/user-management/microsoft/#azure-ad-app-registration-auth-using-oidc

I found no way to configure the secret using the argocd CRD.

Describe the solution you'd like
Currently the 'admin.password' gets synced from the 'argocd-cluster' secret to the 'argocd-secret' secret. A similar syncing mechanism could be implemented for the oidc client secret.

Describe alternatives you've considered
The policy that it isn't recommended to change the 'argocd-secret' directly could be changed.
@iam-veeramalla iam-veeramalla added enhancement New feature or request good first issue Good for newcomers labels Jul 19, 2021
@KevinBonilla
Copy link

@castleadmin did you ever find a workaround for this problem? I'm running into the same issue as well where I need to manually append the oidc client secret into argocd-secret. Would be great if we had a sync mechanism similar to how tls secrets sync to argocd-secret.

@KevinBonilla
Copy link

KevinBonilla commented Dec 7, 2022
edited
Loading

After some digging I was able to find documentation about secrets Alternatives. Where within the operator deployment yaml I just need to references the secret file and key value. Format will look like this:

spec:
  oidcConfig: |
    name: AzureAD
    issuer: <redacted issuer URL>
    clientID: <redacted clientID>
    clientSecret: $argocd-oidc:oidc.azuread.clientSecret
    # Optional set of OIDC scopes to request. If omitted, defaults to: ["openid", "profile", "email", "groups"]
    requestedScopes: ["openid", "profile", "email"]
    # Optional set of OIDC claims to request on the ID token.
    requestedIDTokenClaims: {"groups": {"essential": true}}

So now in the argocd-cm the clientSecret will look for a secret called argocd-oidc with a key called oidc.azuread.clientSecret.

My secret looks like this, since we use ExternalSecrets I had to learn how to inject the proper annotation but thanks to
this issue I was able to find the proper formatting app.kubernetes.io/part-of: argocd of my ArgoCD oidc secret. The ExternalSecret now looks like this:

apiVersion: kubernetes-client.io/v1
kind: ExternalSecret
metadata:
  name: argocd-oidc
  namespace: argocd
spec:
  backendType: vault
  template:
    metadata:
      labels:
        app.kubernetes.io/part-of: "argocd"
  data:
    - name: oidc.azuread.clientSecret
      key: <redacted kv path>
      property: OIDC_CLIENT_SECRET

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@castleadmin @iam-veeramalla @KevinBonilla