Skip to content

ArgoCD SSO via Keycloak OIDC#234

Open
dcmcand wants to merge 9 commits intomainfrom
feature/argocd-keycloak-sso
Open

ArgoCD SSO via Keycloak OIDC#234
dcmcand wants to merge 9 commits intomainfrom
feature/argocd-keycloak-sso

Conversation

@dcmcand
Copy link
Copy Markdown
Contributor

@dcmcand dcmcand commented Apr 8, 2026

Summary

Closes #227

  • Configure ArgoCD with Keycloak OIDC SSO as part of initial deployment
  • Create argocd-admins (full admin) and argocd-viewers (read-only) Keycloak groups mapped to ArgoCD RBAC roles
  • Pre-generate OIDC client secret in Go, inject into ArgoCD Helm values and store as K8s secret for realm-setup job
  • Extend realm-setup job to create ArgoCD OIDC client, groups, and add realm admin to argocd-admins
  • Update post-deploy instructions with SSO login info and break-glass admin fallback

How it works

  1. deploy.go generates a client secret upfront
  2. ArgoCD is installed via Helm with OIDC config (ConfigWithOIDC()) referencing Keycloak's issuer URL and the client secret
  3. The secret is also stored as argocd-oidc-client-secret in the keycloak namespace
  4. When Keycloak deploys (sync wave 4), the PostSync realm-setup job reads the secret and creates the matching OIDC client, groups, and group membership
  5. ArgoCD's OIDC discovery is lazy, so SSO starts working once Keycloak is ready

Test plan

  • Unit tests pass: go test ./... -v
  • Linter clean: golangci-lint run
  • Deploy to local cluster, verify ArgoCD shows "Log in via Keycloak" button
  • Log in as realm admin, verify admin access (argocd-admins group)
  • Create user in argocd-viewers group, verify read-only access
  • Create user not in either group, verify access denied
  • Re-run deploy (idempotency), verify no errors

@dcmcand dcmcand force-pushed the feature/argocd-keycloak-sso branch from a6a5795 to 487cfd6 Compare April 23, 2026 12:04
@dcmcand dcmcand added the priority: medium ⚡ Medium priority - standard queue label Apr 27, 2026
@viniciusdc viniciusdc added the status: in review 👀 This PR is currently being reviewed by the team label Apr 27, 2026
@dcmcand dcmcand force-pushed the feature/argocd-keycloak-sso branch from 487cfd6 to 7c46e42 Compare May 6, 2026 10:17
@dcmcand
fix: resolve lint issues in argocd package
7411a0d 
- Extract "nebari-foundational" string into NebariFoundationalPartOf constant (goconst)
- Remove extra blank line in install.go (gofmt)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Adam-D-Lewis Adam-D-Lewis Awaiting requested review from Adam-D-Lewis Adam-D-Lewis is a code owner

@aktech aktech Awaiting requested review from aktech aktech is a code owner

@dharhas dharhas Awaiting requested review from dharhas dharhas is a code owner

@marcelovilla marcelovilla Awaiting requested review from marcelovilla marcelovilla is a code owner

@tylerpotts tylerpotts Awaiting requested review from tylerpotts tylerpotts is a code owner

@viniciusdc viniciusdc Awaiting requested review from viniciusdc viniciusdc is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

priority: medium ⚡ Medium priority - standard queue status: in review 👀 This PR is currently being reviewed by the team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ArgoCD SSO via Keycloak OIDC

2 participants

@dcmcand @viniciusdc