Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSO using dex and google groups is not working #457

Open
alonbnhubsecurity opened this issue Apr 18, 2023 · 0 comments
Open

SSO using dex and google groups is not working #457

alonbnhubsecurity opened this issue Apr 18, 2023 · 0 comments

Comments

@alonbnhubsecurity
Copy link

alonbnhubsecurity commented Apr 18, 2023

Hello,
I am trying to add SSO with Google to my ArgoCD.
I followed this documentation but It doesn't work for me.
Whenever I press the LOG IN VIA GOOGLE button it just redirects me to the login page (back to https://argocd.my-domain.com/login?return_url...) and gives me the following errors:

GET https://argocd.my-domain.com/api/v1/clusters 401

main.c87xxxxxxxxxxxx30256.js:2 Uncaught (in promise) Error: {"error":"no session information","code":16,"message":"no session information"}
    at x.<anonymous> (main.c87xxxxxxxxxxxx30256.js:2:1010475)
    at t.emit (main.c87xxxxxxxxxxxx30256.js:2:148831)
    at XMLHttpRequest.<anonymous> (main.c87xxxxxxxxxxxx30256.js:2:1014299)
    
GET https://argocd.my-domain.com/api/v1/applications?fields=metadata.resourceVersion%2Citems.metadata.name%2Citems.metadata.namespace%2Citems.metadata.annotations%2Citems.metadata.labels%2Citems.metadata.creationTimestamp%2Citems.metadata.deletionTimestamp%2Citems.spec%2Citems.operation.sync%2Citems.status.sync.status%2Citems.status.sync.revision%2Citems.status.health%2Citems.status.operationState.phase%2Citems.status.operationState.operation.sync%2Citems.status.summary%2Citems.status.resources&selector=&appNamespace= 401

Log in with admin works fine.

apiVersion: kustomize.config.k8s.io/v1beta1
configMapGenerator:
- behavior: merge
  literals:
  - |
    repository.credentials=- passwordSecret:
        key: git_token
        name: autopilot-secret
      url: https://private-git-url/ # We have private git and it's configured and working with our argo
      usernameSecret:
        key: git_username
        name: autopilot-secret
  - |
    dex.config=connectors:
      - config:
          redirectURI: https://argocd.my-domain.com/api/dex/callback
          clientID: XXXXXXXXXXXXXXXapps.googleusercontent.com
          clientSecret: XXXXXXXXXXXXXXX
          serviceAccountFilePath: /tmp/oidc/googleAuth.json
          adminEmail: <my.email@dev-domain.dev> # my email is super admin I also tried to give it an email with the group that I wanted 
        type: google
        id: google
        name: Google
  name: argocd-cm
- behavior: merge
  literals:
  - policy.default=role:readonly
  name: argocd-rbac-cm
kind: Kustomization
namespace: argocd
resources:
- github.com/argoproj-labs/argocd-autopilot/manifests/insecure?ref=v0.4.2
- ./argogrpc.service.yaml
- ./backendconfig.yaml
- ./frontconfig.yaml
- ./ingress.yaml
- ./managed-cert.yaml
- ./argocd-google-groups-json-secret-sealed.yaml #the argocd-google-groups-json-secret as sealed secret
patchesStrategicMerge:
- ./patches/patch-argocd-dex-server.yaml

The ./patches/patch-argocd-dex-server.yaml file:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: argocd-dex-server
spec:
  template:
    spec:
      containers:
        - name: dex	
          volumeMounts:	
            - mountPath: /tmp/oidc
              name: google-json
              readOnly: true
      volumes:
      - name: google-json
        secret:
          defaultMode: 420
          secretName: argocd-google-groups-json

The dev-domain.dev is the domain that we use for our GCP account.
I enabled both domains in the GCP app.
As for permissions for the SA user I created, I gave it Organization Administrator in the meantime as it does not really specify what kind of role it needs and I didn't want to have permission problems.
After every change I reset the argocd-dex-deploument.

The ArgoCD version I am using is v2.6.7+5bcd846 based on github.com/argoproj-labs/argocd-autopilot/manifests/insecure?ref=v0.4.2.

GKE version 1.25.6-gke.1000 and updated to 1.25.7-gke.1000

Trying to login with cli and sso give me the following:
FATA[0000] Failed to query provider "/api/dex": Get "/api/dex/.well-known/openid-configuration": unsupported protocol scheme ""

Please help me troubleshoot this problem,
Let me know if you need me to add more information.

Screen.Recording.2023-04-18.at.13.00.57.mov
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant