Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Manage ArgoCD via IaC #50

Open
clee231 opened this issue Aug 1, 2023 · 0 comments
Open

Manage ArgoCD via IaC #50

clee231 opened this issue Aug 1, 2023 · 0 comments
Labels
✨ enhancement New feature or request ☸️ k8s Kubernetes related stuff

Comments

@clee231
Copy link
Contributor

clee231 commented Aug 1, 2023
edited
Loading

The following aspects of the ArgoCD setup are not managed by IaC. Note that the initial deployment of ArgoCD is managed by Terraform, however configuration or ArgoCD may be better configured by other methods.

We need to write the infrastructure as code to managed this:

  • LDAP configuration
  • LDAP Group to ArgoCD Role mapping

The group configuration is defined as follows:

$ kubectl get cm -n argocd argocd-rbac-cm -o yaml
apiVersion: v1
data:
  policy.csv: |
    p, role:none, *, *, */*, deny
    g, ACMLANAdmins, role:admin
  policy.default: ""
  scopes: '[groups]'
kind: ConfigMap
metadata:
  annotations:
    meta.helm.sh/release-name: argocd-release
    meta.helm.sh/release-namespace: argocd
  labels:
    app.kubernetes.io/component: server
    app.kubernetes.io/instance: argocd-release
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: argocd-rbac-cm
    app.kubernetes.io/part-of: argocd
    app.kubernetes.io/version: v2.7.9
    helm.sh/chart: argo-cd-5.42.0
  name: argocd-rbac-cm
  namespace: argocd

The LDAP configuration is defined as follows:

$ kubectl get cm -n argocd argocd-cm -o yaml
apiVersion: v1
data:
  admin.enabled: "true"
  application.instanceLabelKey: argocd.argoproj.io/instance
  dex.config: |
    connectors:
    - type: ldap
      name: AD
      id: ad
      config:
        # Ldap server address
        host: activedirectory.acmuic.org:636
        insecureNoSSL: false
        insecureSkipVerify: true
        # Variable name stores ldap bindDN in argocd-secret
        bindDN: "$dex.ldap.bindDN"
        # Variable name stores ldap bind password in argocd-secret
        bindPW: "$dex.ldap.bindPW"
        usernamePrompt: Username
        # Ldap user serch attributes
        userSearch:
          baseDN: "OU=ACMUsers,DC=acmuic,DC=org"
          filter: "(objectClass=person)"
          username: sAMAccountName
          idAttr: DN
          emailAttr: userPrincipalName
          nameAttr: displayName
        # Ldap group serch attributes
        groupSearch:
          baseDN: "OU=ACMGroups,DC=acmuic,DC=org"
          filter: "(objectClass=group)"
          userMatchers:
            - userAttr: DN
              groupAttr: member
          nameAttr: cn
  exec.enabled: "false"
  server.rbac.log.enforce.enable: "false"
  timeout.hard.reconciliation: 0s
  timeout.reconciliation: 180s
  url: https://cd.acmuic.org
kind: ConfigMap
metadata:
  annotations:
    meta.helm.sh/release-name: argocd-release
    meta.helm.sh/release-namespace: argocd
  labels:
    app.kubernetes.io/component: server
    app.kubernetes.io/instance: argocd-release
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: argocd-cm
    app.kubernetes.io/part-of: argocd
    app.kubernetes.io/version: v2.7.9
    helm.sh/chart: argo-cd-5.42.0
  name: argocd-cm
  namespace: argocd
@clee231 clee231 added ✨ enhancement New feature or request ☸️ k8s Kubernetes related stuff labels Aug 1, 2023
@clee231 clee231 mentioned this issue Nov 1, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
✨ enhancement New feature or request ☸️ k8s Kubernetes related stuff
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@clee231