search

kubesphere / ks-devops

This is a cloud-native application that focuses on the DevOps area.
https://kubesphere.io/devops/
Apache License 2.0
157 stars 89 forks source link

Use ldap to sync account between ks and argocd #858

Open chilianyi opened 1 year ago

chilianyi commented 1 year ago

What is version of KubeSphere DevOps has the issue?

v3.3.1

How did you install the Kubernetes? Or what is the Kubernetes distribution?

kubekey

Describe this feature

Like jenkins, use ldap to sync account between kubesphere and argocd

Create account in ks, able to sign in argocd with the username and password.

Additional information

No response

Feeeenng commented 1 year ago

Try the following steps to complete the ldap sync.

  1. create dex ldap config-map 
    kubectl -n argocd edit configmaps argocd-cm

    patch kubesphere ldap config

apiVersion: v1
metadata:
data:
  url : https://172.37.88.21:30809/
  dex.config: |-
    connectors:
    - type: ldap
      name: ks ldap
      id: ldap
      config:
        host: openldap.kubesphere-system.svc
        insecureNoSSL: true
        insecureSkipVerify: true
        bindDN: "$dex.ldap.bindDN"
        bindPW: "$dex.ldap.bindPW"
        usernamePrompt: Username
        userSearch:
          baseDN: "ou=Users,dc=kubesphere,dc=io"
          filter: "(objectClass=person)"
          username: uid
          idAttr: uid
          emailAttr: uid
          nameAttr: cn
        groupSearch:
          baseDN: "ou=Groups,dc=kubesphere,dc=io"
          filter: "(objectClass=groupOfUniqueNames)"
          userAttr: DN
          groupAttr: uniqueMember
          nameAttr: cn
  1. patch DN and PW secret 
    
kubectl -n argocd patch secrets argocd-secret --patch "{\"data\":{\"dex.ldap.bindPW\":\"$(echo admin | base64)\"}}"
kubectl -n argocd patch secrets argocd-secret --patch "{\"data\":{\"dex.ldap.bindDN\":\"$(echo cn=admin,dc=kubesphere,dc=io| base64 )\"}}"

3. update rbac role

kubecl -n argocd edit configmap argocd-rbac-cm


update kubesphere admin role

kind: ConfigMap apiVersion: v1 metadata: name: argocd-rbac-cm namespace: argocd labels: app.kubernetes.io/component: server app.kubernetes.io/instance: devops app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: argocd-rbac-cm app.kubernetes.io/part-of: argocd helm.sh/chart: argo-cd-4.4.0 annotations: meta.helm.sh/release-name: devops meta.helm.sh/release-namespace: argocd data: policy.csv: | g, admin@kubesphere.io, role:admin policy.default: 'role:readonly' scopes: '[email, group]'


3. restart the dex-server and argocd-server

kubectl rollout -n argocd restart deployment devops-argocd-server devops-argocd-dex-server



oepn arogcd-server 

![image](https://github.com/kubesphere/ks-devops/assets/14897634/8e71a8ff-2109-4fda-8c9c-66ebcb8685c3)

use kubesphere account login argocd 

![image](https://github.com/kubesphere/ks-devops/assets/14897634/287a46b3-d1d8-46b7-a8c9-bf525f2d2be2)

login success

![image](https://github.com/kubesphere/ks-devops/assets/14897634/91e842fe-ccb6-462b-b028-10afdb03999d)