search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
17.39k stars 5.29k forks source link

I can't enable SSO with Gitlab and dex #9034

Open midestefanis opened 2 years ago

midestefanis commented 2 years ago

Describe the bug

I can't enable SSO with Gitlab and dex

Following the following documentation:

https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#dex https://dexidp.io/docs/connectors/gitlab/

I'm trying to activate SSO with Gitlab but both the server and the dex always give me the following error:

time="2022-04-07T16:33:04Z" level=warning msg="invalid dex yaml config"

To Reproduce

What I did was just edit the configmap 'argocd-cm'

data:
  url: https://****.com.ar/
  dex.config: |
    connectors:
      - type: gitlab
        id: gitlab
        name: GitLab
          baseURL: https://gitlab.com
          clientID: ****
          clientSecret: ****
          redirectURI: https://****/dex/callback
          orgs:
          - name: ***
  repository.credentials: |
    - passwordSecret:
        key: git_token
        name: autopilot-secret
      url: https://gitlab.com/
      usernameSecret:
        key: git_username
        name: autopilot-secret
  timeout.reconciliation: 15s

Expected behavior

Login with SOO

Screenshots

Version

argocd:v2.3.3

Logs

time="2022-04-07T18:18:11Z" level=info msg="Starting configmap/secret informers"
time="2022-04-07T18:18:11Z" level=info msg="Configmap/secret informer synced"
time="2022-04-07T18:18:11Z" level=info msg="0xc000b10cc0 subscribed to settings updates"
time="2022-04-07T18:18:11Z" level=warning msg="invalid dex yaml config"
time="2022-04-07T18:18:11Z" level=info msg="dex is not configured"
sigi4 commented 2 years ago

I'm not sure if this is your issue, but this page https://dexidp.io/docs/connectors/gitlab/ indicates that name is not the parent of baseUrl...

I believe a config: is missing after name: but on the same level.

midestefanis commented 2 years ago

Probably among so many tests, it must have gone wrong, anyway I corrected it and it continues to throw the same error. @sigi4

lucasff commented 2 years ago 
dex.config: |
  logger:
    level: debug
    format: json
  connectors:
  - type: github
    id: github
    name: GitHub
    config:
      clientID: <your ID>
      clientSecret: <your secret>
      orgs:
      - name: <your org>

I hope it helps, it might be very similar to GitLab, although I use GitHub. It works.

jeunii commented 2 years ago

Were you able to make this work ? my current config looks like this

dex.config: |
    connectors:
      - type: gitlab
        id: gitlab
        name: GitLab
        baseURL: https://gitlab.com/
        redirectURI: http://127.0.0.1:5556/dex/callback
        config:
          clientID: c6a63e543c.......
          clientSecret: <REDACTED>
          groups:
          - 547.....

On gitlab side the app is configured Screen Shot 2022-08-18 at 11 32 28 AM A button on the login page does appear "LOG IN VIA GITLAB" but when i click it nothing happens.

jeunii commented 2 years ago

I pointed redirectURI to my dex service

redirectURI: http://argocd-dex-server:5556/dex/callback

and now atleast the request goes to dex server. On gitlab I was asked to authorize my access to gitlab but then ArgoCD says "login failed"

Dex logs state

time="2022-08-18T16:32:28Z" level=error msg="Failed to authenticate: gitlab: get groups: gitlab: user \"FirstName.LastName\" is not in any of the required groups"
jeunii commented 2 years ago

I got this working.

So my final config looks like

  dex.config: |
    connectors:
      - type: gitlab
        id: gitlab
        name: GitLab
        baseURL: https://gitlab.com
        redirectURI: http://argocd-dex-server:5556/dex/callback # <---- Point to dex server
        config:
          clientID: <REDACTED> # <--- from gitlab app Application ID
          clientSecret:  <REDACTED> # <--- from gitlab app Secret
        groups:
        - "<GROUP_NAME>" # <--- name of group you are part of in gitlab

I was getting a 502 when redirected back so I added the following to the ingress

metadata:
  annotations:
    nginx.ingress.kubernetes.io/proxy-buffer-size: 8k
    nginx.ingress.kubernetes.io/proxy-buffers-number: "8"

And to make sure that members of the gitlab group are admins on ArgoCD, added the following cm

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-rbac-cm
data:
  policy.csv: |
    g, <GROUP_NAME>, role:admin
dgsfor commented 2 years ago

I got this working.

So my final config looks like

  dex.config: |
    connectors:
      - type: gitlab
        id: gitlab
        name: GitLab
        baseURL: https://gitlab.com
        redirectURI: http://argocd-dex-server:5556/dex/callback # <---- Point to dex server
        config:
          clientID: <REDACTED> # <--- from gitlab app Application ID
          clientSecret:  <REDACTED> # <--- from gitlab app Secret
        groups:
        - "<GROUP_NAME>" # <--- name of group you are part of in gitlab

I was getting a 502 when redirected back so I added the following to the ingress

metadata:
  annotations:
    nginx.ingress.kubernetes.io/proxy-buffer-size: 8k
    nginx.ingress.kubernetes.io/proxy-buffers-number: "8"

And to make sure that members of the gitlab group are admins on ArgoCD, added the following cm

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-rbac-cm
data:
  policy.csv: |
    g, <GROUP_NAME>, role:admin

hi, how it working in private gitlab, my gitlab addr is : https://gitlab.xxxx.com

SHCanard commented 1 year ago

@gsgs-libin

I had the same question, and after a lot of tries this is our working configuration.

argocd-cm:

data:
  dex.config: |-
    connectors:
      # GitLab
      - type: gitlab
        id: gitlab
        name: Our Private GitLab
        config:
          baseURL: http://gitlab.ourdomain.com
          clientID: <GITLAB APP ID>
          clientSecret: <GITLAB APP SECRET>
        groups:
        - "<GROUP>"
        useLoginAsID: false
  url: https://argocd.ourdomain.com

argocd-rbac-cm:

data:
  policy.csv: |
    p, role:org-admin, applications, *, */*, allow
    p, role:org-admin, clusters, get, *, allow
    p, role:org-admin, repositories, get, *, allow
    p, role:org-admin, repositories, create, *, allow
    p, role:org-admin, repositories, update, *, allow
    p, role:org-admin, repositories, delete, *, allow
    p, role:org-admin, logs, get, *, allow
    p, role:org-admin, exec, create, */*, allow
    g, <GROUP>, role:org-admin
  policy.default: role:readonly

argocd-dex-server:

        volumeMounts:
        - mountPath: /etc/ssl/certs/
          name: my-ca

[...]

      volumes:
      - name: my-ca
        secret:
          defaultMode: 420
          secretName: ca-root

I had to delete the argocd-server pod for it to work correctly though, and if I remove the --insecure arg in the deployment things are broken.... I hope it helps!