Skip to content

Manage ArgoCD via IaC #50

New issue
New issue
Open
Open
Manage ArgoCD via IaC#50
Labels
✨ enhancementNew feature or request☸️ k8sKubernetes related stuff
@clee231

Description

@clee231
clee231
opened on Aug 1, 2023

The following aspects of the ArgoCD setup are not managed by IaC. Note that the initial deployment of ArgoCD is managed by Terraform, however configuration or ArgoCD may be better configured by other methods.

We need to write the infrastructure as code to managed this:

  • LDAP configuration
  • LDAP Group to ArgoCD Role mapping

The group configuration is defined as follows:

$ kubectl get cm -n argocd argocd-rbac-cm -o yaml
apiVersion: v1
data:
  policy.csv: |
    p, role:none, *, *, */*, deny
    g, ACMLANAdmins, role:admin
  policy.default: ""
  scopes: '[groups]'
kind: ConfigMap
metadata:
  annotations:
    meta.helm.sh/release-name: argocd-release
    meta.helm.sh/release-namespace: argocd
  labels:
    app.kubernetes.io/component: server
    app.kubernetes.io/instance: argocd-release
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: argocd-rbac-cm
    app.kubernetes.io/part-of: argocd
    app.kubernetes.io/version: v2.7.9
    helm.sh/chart: argo-cd-5.42.0
  name: argocd-rbac-cm
  namespace: argocd

The LDAP configuration is defined as follows:

$ kubectl get cm -n argocd argocd-cm -o yaml
apiVersion: v1
data:
  admin.enabled: "true"
  application.instanceLabelKey: argocd.argoproj.io/instance
  dex.config: |
    connectors:
    - type: ldap
      name: AD
      id: ad
      config:
        # Ldap server address
        host: activedirectory.acmuic.org:636
        insecureNoSSL: false
        insecureSkipVerify: true
        # Variable name stores ldap bindDN in argocd-secret
        bindDN: "$dex.ldap.bindDN"
        # Variable name stores ldap bind password in argocd-secret
        bindPW: "$dex.ldap.bindPW"
        usernamePrompt: Username
        # Ldap user serch attributes
        userSearch:
          baseDN: "OU=ACMUsers,DC=acmuic,DC=org"
          filter: "(objectClass=person)"
          username: sAMAccountName
          idAttr: DN
          emailAttr: userPrincipalName
          nameAttr: displayName
        # Ldap group serch attributes
        groupSearch:
          baseDN: "OU=ACMGroups,DC=acmuic,DC=org"
          filter: "(objectClass=group)"
          userMatchers:
            - userAttr: DN
              groupAttr: member
          nameAttr: cn
  exec.enabled: "false"
  server.rbac.log.enforce.enable: "false"
  timeout.hard.reconciliation: 0s
  timeout.reconciliation: 180s
  url: https://cd.acmuic.org
kind: ConfigMap
metadata:
  annotations:
    meta.helm.sh/release-name: argocd-release
    meta.helm.sh/release-namespace: argocd
  labels:
    app.kubernetes.io/component: server
    app.kubernetes.io/instance: argocd-release
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: argocd-cm
    app.kubernetes.io/part-of: argocd
    app.kubernetes.io/version: v2.7.9
    helm.sh/chart: argo-cd-5.42.0
  name: argocd-cm
  namespace: argocd

Metadata

Metadata

Assignees

No one assigned

    Labels

    ✨ enhancementNew feature or request☸️ k8sKubernetes related stuff

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions