简介
最近配置了 argocd 使用 gitea OAuth2登录,当然流程同样也适合 gitlab 和 github
官方文档
https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/
gitea 中创建应用
在 gitea 的管理后台->应用中创建一个应用,回调地址写
https://argocd.example.com/api/dex/callback
之后就可以拿到
- clientID
- clientSecret
配置 argocd
首先需要编辑 argocd install.yaml 中 argocd-cm 这个 configmap
如果是其他的 oidc connectors可以看下面这个文档
https://dexidp.io/docs/connectors/gitea/
下面是我的配置
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/name: argocd-cm
app.kubernetes.io/part-of: argocd
name: argocd-cm
data:
dex.config: |
connectors:
- type: gitea
# Required field for connector id.
id: gitea
# Required field for connector name.
name: Gitea
config:
# Credentials can be string literals or pulled from the environment.
clientID: xxxxxx
clientSecret: xxxxxx
redirectURI: http://argocd-dex-server:5556/dex/callback
# optional, default = https://gitea.com
baseURL: https://git.xxxx.cn
url: 'https://argocd.xxxx.cn'
解释下参数
- redirectURI其实就是 dex server 的地址,你可以写k8s service 的地址
- baseURL 就是 gitea 的地址
- url 就是 argocd 的地址
如果配置正确的话 argocd-dex-server 这个 pod 日志应该会显示
time="2023-11-07T06:27:29Z" level=info msg="config issuer: https://argocd.xxxxx.cn/api/dex"
time="2023-11-07T06:27:29Z" level=info msg="config storage: memory"
time="2023-11-07T06:27:29Z" level=info msg="config static client: Argo CD"
time="2023-11-07T06:27:29Z" level=info msg="config static client: Argo CD CLI"
time="2023-11-07T06:27:29Z" level=info msg="config connector: gitea"
time="2023-11-07T06:27:29Z" level=info msg="config skipping approval screen"
time="2023-11-07T06:27:29Z" level=info msg="config refresh tokens rotation enabled: true"
time="2023-11-07T06:27:29Z" level=info msg="keys expired, rotating"
time="2023-11-07T06:27:29Z" level=info msg="keys rotated, next rotation: 2023-11-07 12:27:29.667592289 +0000 UTC"
time="2023-11-07T06:27:29Z" level=info msg="listening (telemetry) on 0.0.0.0:5558"
time="2023-11-07T06:27:29Z" level=info msg="listening (https) on 0.0.0.0:5556"
time="2023-11-07T06:27:29Z" level=info msg="listening (grpc) on 0.0.0.0:5557"
并且argocd-server 这个pod 会显示
time="2023-11-07T06:27:29Z" level=info msg="dex config modified. restarting"
time="2023-11-07T06:27:29Z" level=info msg="shutting down settings watch"
time="2023-11-07T06:27:29Z" level=info msg="Shut down requested"
time="2023-11-07T06:27:29Z" level=info msg="0xc0009bf140 unsubscribed from settings updates"
time="2023-11-07T06:27:29Z" level=info msg="rbac configmap informer cancelled"
time="2023-11-07T06:27:29Z" level=info msg="Creating client app (argo-cd)"
time="2023-11-07T06:27:29Z" level=info msg="argocd v2.8.6+6f7af53 serving on port 8080 (url: https://argocd.xxxxx.cn, tls: true, namespace: argocd, sso: true)"
time="2023-11-07T06:27:29Z" level=info msg="Enabled application namespace patterns: argocd"
time="2023-11-07T06:27:29Z" level=info msg="0xc0016448a0 subscribed to settings updates"
time="2023-11-07T06:27:29Z" level=info msg="Starting rbac config informer"
time="2023-11-07T06:27:29Z" level=info msg="RBAC ConfigMap 'argocd-rbac-cm' added"
但是老版本的 argocd 貌似是不会自动重启加载配置的,如果没有建议重启这两个 pod
配置应用权限
刚登录的话你的用户应该是没有任何权限的,所以你还需要修改这个 configmap 的配置
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/name: argocd-rbac-cm
app.kubernetes.io/part-of: argocd
name: argocd-rbac-cm
data:
policy.csv: |
g, [email protected], role:admin # 你的邮箱
policy.default: role:readonly
如果有多个用户你可以在这个地方配置多条,详细的可以看
https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/
欢迎关注我的博客www.bboy.app
Have Fun