Comments (32)
@davidkarlsen Its available now
from gitops-operator.
I figured out why this fails. If you have a global proxy setting [1] it will fail like described.
[1]
administration -> cluster settings -> global configuration -> proxy
from gitops-operator.
My question is more, are we going to be able to set the ArgoCD parameters such as DEX SSO when instanciating the GitOps so I eliminate a step to post-configure ArgoCD to enable the SSO
@iam-veeramalla I don't have access to your Google Document
from gitops-operator.
@davidkarlsen @pburgisser we are working on the documentation. It will be available post GA. We have plans to automate SSO without user having to configure any additional steps. Unfortunately that is also after GA.
For now, User have to perform below steps manually.
Set DISABLE_DEX env variable to false. Example shown below.
spec:
config:
env:
- name: DISABLE_DEX
Value: "false"
You can enable RBAC on argo-cd by following the instructions provided in the argo-cd RBAC Configuration. Example RBAC configuration looks like this.
spec:
dex:
openShiftOAuth: true
rbac:
defaultPolicy: 'role:readonly'
policy: |
g, system:cluster-admins, role:admin
scopes: '[groups]'
from gitops-operator.
@iam-veeramalla Regarding my last remark. You mentioned that we can adapt the RBAC through the ArgoCD CR. I fully agree on this but I meant that we should be able to able to configure more options than only the AuthN & AuthZ through the instanciation of the GitOps CR.
from gitops-operator.
After digging around I see that there seems to be integration in place, however the operator just says "{"level":"info","ts":1616417678.2982924,"logger":"controller_argocd","msg":"reconciling for dex, but dex is disabled"}
"
our CR:
k get argocd test -o yaml
apiVersion: argoproj.io/v1alpha1
kind: ArgoCD
metadata:
creationTimestamp: "2021-03-22T12:22:14Z"
generation: 11
name: test
namespace: pti-stest
resourceVersion: "433157028"
selfLink: /apis/argoproj.io/v1alpha1/namespaces/pti-stest/argocds/test
uid: e41f37e9-2c1f-4291-89eb-74671f44d369
spec:
controller:
resources:
limits:
cpu: 100m
memory: 128Mi
dex:
openShiftOAuth: true
resources:
limits:
cpu: 100m
memory: 128Mi
redis:
resources:
limits:
cpu: 100m
memory: 128Mi
repo-server:
resources:
limits:
cpu: 100m
memory: 128Mi
server:
resources:
limits:
cpu: 100m
memory: 128Mi
route:
enabled: true
statusBadgeEnabled: true
from gitops-operator.
Hi @davidkarlsen , Thanks for reaching out.
Dex is disabled by default. It can be enabled by following below steps.
spec:
config:
env:
- name: DISABLE_DEX
Value: "false"
You can enable RBAC on argo-cd by following the instructions provided in the argo-cd RBAC Configuration. Example RBAC configuration looks like this.
spec:
dex:
openShiftOAuth: true
rbac:
defaultPolicy: 'role:readonly'
policy: |
g, system:cluster-admins, role:admin
scopes: '[groups]'
Detailed steps are available here:
https://docs.google.com/document/d/1147S5yOdj5Golj3IrTBeeci2E1CjAkieGCcl0w90BS8/edit?ts=602bd66f#
from gitops-operator.
Hi @davidkarlsen , Thanks for reaching out.
Dex is disabled by default. It can be enabled by following below steps.
spec: config: env: - name: DISABLE_DEX Value: "false"
You can enable RBAC on argo-cd by following the instructions provided in the argo-cd RBAC Configuration. Example RBAC configuration looks like this.
spec: dex: openShiftOAuth: true rbac: defaultPolicy: 'role:readonly' policy: | g, system:cluster-admins, role:admin scopes: '[groups]'
Detailed steps are available here:
docs.google.com/document/d/1147S5yOdj5Golj3IrTBeeci2E1CjAkieGCcl0w90BS8/edit?ts=602bd66f#
nice, those docs are not linked from the repo?
And it is closed. I asked for access now.
I couldn't quite get it to work:
k describe argocd
Name: test
Namespace: pti-stest
Labels: <none>
Annotations: <none>
API Version: argoproj.io/v1alpha1
Kind: ArgoCD
Metadata:
Creation Timestamp: 2021-03-22T12:22:14Z
Generation: 13
Resource Version: 445196707
Self Link: /apis/argoproj.io/v1alpha1/namespaces/pti-stest/argocds/test
UID: e41f37e9-2c1f-4291-89eb-74671f44d369
Spec:
Config:
Env:
Value: false
Name: DISABLE_DEX
Controller:
Resources:
Limits:
Cpu: 100m
Memory: 128Mi
Dex:
Open Shift O Auth: true
Rbac:
Default Policy: role:readonly
Policy: g, system:cluster-admins, role:admin
Scopes: [groups]
Redis:
Resources:
Limits:
Cpu: 100m
Memory: 128Mi
Repo - Server:
Resources:
Limits:
Cpu: 100m
Memory: 128Mi
Server:
Resources:
Limits:
Cpu: 100m
Memory: 128Mi
Route:
Enabled: true
Status Badge Enabled: true
Status:
Application Controller: Running
Dex: Unknown
Phase: Available
Redis: Running
Repo: Running
Server: Running
Events: <none>
[et2448@Davids-Work-MacBook-Pro salt (⎈ |default/api-os-global-finods-com:6443/[email protected]:pti-stest)]$
from gitops-operator.
My question is more, are we going to be able to set the ArgoCD parameters such as DEX SSO when instanciating the GitOps so I eliminate a step to post-configure ArgoCD to enable the SSO
+1
It is not a smooth UX as of now. Lack of documentation and bad defaults make it a bad experience. It should come with sane default out of the box.
from gitops-operator.
IMO, the scope should be larger as we may want to configure components such as ServiceMonitor etc
from gitops-operator.
IMO, the scope should be larger as we may want to configure components such as ServiceMonitor etc
It can be modified and used according to your requirement
https://argoproj.github.io/argo-cd/operator-manual/rbac/
from gitops-operator.
@pburgisser Please let me know if this issue can be closed
from gitops-operator.
It still fails. You get redirected to https://test-server-pti-stest.apps.cluster.domain.tld/auth/login?return_url=https%3A%2F%2Ftest-server-pti-stest.apps.cluster.domain.tld%2Fapplicati
, where it hangs, and then a raw page:
Failed to query provider "https://test-server-pti-stest.apps.cluster.domain.tld/api/dex": 502 internal error - server connection terminated: <HEAD><TITLE>internal error - server connection terminated</TITLE></HEAD>
<BODY BGCOLOR="white" FGCOLOR="black"><H1>internal error - server connection terminated</H1><HR>
<FONT FACE="Helvetica,Arial"><B>
Description: internal error - server connection terminated</B></FONT>
<HR>
<!-- default "internal error - server connection terminated" response (502) -->
</BODY>
�```
from gitops-operator.
It seems to just hang at dex. any debugging tips?
from gitops-operator.
@davidkarlsen @pburgisser we are working on the documentation. It will be available post GA. We have plans to automate SSO without user having to configure any additional steps. Unfortunately that is also after GA.
When is "GA"? It's already released as 1.0.0?
from gitops-operator.
from gitops-operator.
GA v1.1 has been released.
from gitops-operator.
has the operator hub bundle been updated? no update appears in the console
from gitops-operator.
Hm, cluster says "1.0.0 provided by Red Hat Inc." and no updates
from gitops-operator.
Ah. v1.1 is available for OCP 4.7+
from gitops-operator.
Can you label this bug and not question?
from gitops-operator.
Running version openshift-gitops-operator.v1.1.0
looks like the operator does not create the dex-service account:
{"level":"info","ts":1620379150.729094,"logger":"controller_argocd","msg":"oauth enabled, configuring dex service account"}
{"level":"error","ts":1620379150.7291572,"logger":"controller-runtime.controller","msg":"Reconciler error","controller":"argocd-controller","request":"argocd/argocd","error":"ServiceAccount \"argocd-argocd-dex-server\" not found","stacktrace":"github.com/go-logr/zapr.(*zapLogger).Error\n\t/remote-source/deps/gomod/pkg/mod/github.com/go-logr/[email protected]/zapr.go:128\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/remote-source/deps/gomod/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:258\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/remote-source/deps/gomod/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:232\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker\n\t/remote-source/deps/gomod/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:211\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1\n\t/remote-source/deps/gomod/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:155\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil\n\t/remote-source/deps/gomod/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:156\nk8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/remote-source/deps/gomod/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:133\nk8s.io/apimachinery/pkg/util/wait.Until\n\t/remote-source/deps/gomod/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:90"}
When I try to manually create the SA in argocd
namespace (same as the argoCD resource` it just deletes it again 🤷♂️
from gitops-operator.
Running version
openshift-gitops-operator.v1.1.0
looks like the operator does not create the dex-service account:
See #76
from gitops-operator.
Are there any workarounds which can be done for this? Is it planned fixed for any release? The operator is not useful for us w/o this fix (and I guess a lot of enterprises rely on proxy config).
from gitops-operator.
I'm still not following.
According to the Red Hat Documentation [1] I have deployed the GitOps Operator which deploy an argoCD instance in openshift-gitops but this doesn't embbed SSO as I'm expecting. Also, if I update the ArgoCD CR in the namespace openshift-gitops, there is a warning saying it's managed by the GitOpsService.
Now, I'm wondering how I can simply use the ArgoCD deployed by the GitOps operator on which I can login with my OpenShift credentials.
Finally, the documentation from Red Hat [2] mentions how to login to ArgoCD with my OpenShift credentials but it shows how to retrieve the admin password from a secret instead. I'm really confused.
[1] https://docs.openshift.com/container-platform/4.7/cicd/gitops/installing-openshift-gitops.html
[2] https://docs.openshift.com/container-platform/4.7/cicd/gitops/configuring_argo_cd_to_recursively_sync_a_git_repository_with_your_application/deploying-a-spring-boot-application-with-argo-cd.html#logging-in-to-the-argo-cd-instance-by-using-your-openshift-credentials_deploying-a-spring-boot-application-with-argo-cd
from gitops-operator.
The Red Hat SSO operator does not work even in a disconnected OCP installation
from gitops-operator.
Hi @ValentinoUberti ,
On a disconnected cluster, you need to follow some additional steps.
https://argocd-operator.readthedocs.io/en/latest/usage/keycloak/#additional-steps-for-disconnected-openshift-clusters
from gitops-operator.
@ValentinoUberti , we do not use RHSSO operator in the GitOps operator. We install RHSSO using OpenShift templates. You can get RHSSO support for GitOps operator working on disconnected cluster :)
from gitops-operator.
I think this can be closed now.
from gitops-operator.
Thanks @davidkarlsen
from gitops-operator.
closed without presenting a proper solution...
from gitops-operator.
closed without presenting a proper solution...
Hi @absynth76 , This issue is closed up on the reporters request.
#91 (comment)
Please feel free to open a new issue with your concerns or post your questions here. I can re-open this issue with your comments.
from gitops-operator.
Related Issues (20)
- Default Github.com RSA key no longer matches upstream, causing errors HOT 3
- Enable ignored e2e tests
- Fix Kam Image reconcliation during upgrades HOT 1
- Add Siddhesh Ghadi as Reviewer on all the Supported branches
- NodePlacement or Toleration/NodeSelector not working HOT 1
- Operator stuck on 1.7.2 and can't upgrade it HOT 14
- Server ingress not setting `ingressClassName` once ArgoCD instance gets updated with the field HOT 1
- (Extra)VolumeMount for appset controller
- Cant install operator 1.10.1 on OKD 4.14 HOT 1
- ArgoCD object should use argocd-server-tls secret in openshift-gitops namespace for TLS cert HOT 1
- resource.customizations.ignoreDifferences doesn't save configuration
- Resource requests for default instance are excessive for small use cases
- Diffs not being detected
- Allow Volumes/VolumeMounts to pass through to the Deployment HOT 8
- Can't set any Proxy for SCMProvider Generator in my ApplicationSet
- ApplicationSets CRD cannot be watched / listed by argocd-server SA HOT 1
- Adding cluster via ArgoCD CLI HOT 2
- Ignore differences when using the catalog source image template annotation
- Update to ArgoCD 2.11.x HOT 1
- ArgoCD won't update in the gitOps Operator and I need to mitigate CVE-2024-37152 ASAP HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gitops-operator.