authentik/website/integrations/services/argocd/index.md

---
title: ArgoCD
---

<span class="badge badge--secondary">Support level: Community</span>

## What is ArgoCD

From https://argoproj.github.io/cd/

:::note
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes.
:::

## Preparation

The following placeholders will be used:

-   `argocd.company` is the FQDN of the ArgoCD install.
-   `authentik.company` is the FQDN of the authentik install.

:::note
Only settings that have been modified from default have been listed.
:::

## authentik Configuration

### Step 1 - Provider creation

In authentik, create an _OAuth2/OpenID Provider_ (under _Applications/Providers_) with these settings:

-   Name: ArgoCD
-   Client Type: `Confidential`
-   Signing Key: Select any available key
-   Redirect URIs:

```
http://argocd.company/api/dex/callback
http://localhost:8085/auth/callback
```

After creating the provider, take note of the `Client ID` and `Client Secret`, you'll need to give them to ArgoCD in the _ArgoCD Configuration_ field.

### Step 2 - Application creation

Create a new _Application_ (under _Applications/Applications_) with these settings:

-   Name: ArgoCD
-   Provider: ArgoCD
-   Slug: argocd
-   Launch URL: http://argocd.company/auth/login

### Step 3 - ArgoCD Admin Group creation

Create a new _Group_ (under _Directory/Groups_) that'll be used as the admin group for ArgoCD (if you already have an "admin" group, you can skip this part!)

-   Name: ArgoCD Admins
-   Members: Add your user and/or any user that should be an ArgoCD admin

## ArgoCD Configuration

:::note
We're not going to use the oidc config, but instead the "dex", oidc doesn't allow ArgoCD CLI usage while DEX does.
:::

### Step 1 - Add the OIDC Secret to ArgoCD

In the `argocd-secret` Secret, add the following value to the `data` field:

```yaml
dex.authentik.clientSecret: <base 64 encoded value of the Client Secret from the Provider above>
```

### Step 2 - Configure ArgoCD to use authentik as OIDC backend

In the `argocd-cm` ConfigMap, add the following to the data field :

```yaml
dex.config: |
    connectors:
    - config:
        issuer: http://authentik.company/application/o/<application slug defined in step 2>/
        clientID: <client ID from the Provider above>
        clientSecret: $dex.authentik.clientSecret
        insecureEnableGroups: true
        scopes:
          - openid
          - profile
          - email
      name: authentik
      type: oidc
      id: authentik
```

### Step 3 - Map the `ArgoCD Admins` group to ArgoCD's admin role

In the `argocd-rbac-cm` ConfigMap, add the following to the data field (or create it if it's not already there) :

```yaml
policy.csv: |
    g, ArgoCD Admins, role:admin
```

If you already had an "admin" group and thus didn't create the `ArgoCD Admins` one, just replace `ArgoCD Admins` with your existing group name.

Apply all the modified manifests, and you should be able to login to ArgoCD both through the UI and the CLI.
website/integrations: Add ArgoCD documentation (#3553) * Add ArgoCD documentation * fix naming and email verification configuration * specify Slug field and update url to specify it has to match the slug value * update preparation note * minor consistency fixes Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Co-authored-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-09-30 19:20:40 +00:00			`---`
			`title: ArgoCD`
			`---`

			`<span class="badge badge--secondary">Support level: Community</span>`

			`## What is ArgoCD`

			`From https://argoproj.github.io/cd/`

			`:::note`
			`Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes.`
			`:::`

			`## Preparation`

			`The following placeholders will be used:`

			- `argocd.company` is the FQDN of the ArgoCD install.
			- `authentik.company` is the FQDN of the authentik install.

			`:::note`
			`Only settings that have been modified from default have been listed.`
			`:::`

			`## authentik Configuration`

			`### Step 1 - Provider creation`

			`In authentik, create an _OAuth2/OpenID Provider_ (under _Applications/Providers_) with these settings:`

			`- Name: ArgoCD`
website/integrations: Update ArgoCD documentation (#6108) * website/integrations: Update ArgoCD documentation * Update website/integrations/services/argocd/index.md Co-authored-by: Jens L. <jens@beryju.org> Signed-off-by: acelinkio <31336038+acelinkio@users.noreply.github.com> --------- Signed-off-by: acelinkio <31336038+acelinkio@users.noreply.github.com> Co-authored-by: Jens L. <jens@beryju.org> 2023-07-06 22:38:32 +00:00			- Client Type: `Confidential`
website/integrations: Add ArgoCD documentation (#3553) * Add ArgoCD documentation * fix naming and email verification configuration * specify Slug field and update url to specify it has to match the slug value * update preparation note * minor consistency fixes Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Co-authored-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-09-30 19:20:40 +00:00			`- Signing Key: Select any available key`
			`- Redirect URIs:`

			```
			`http://argocd.company/api/dex/callback`
			`http://localhost:8085/auth/callback`
			```

			After creating the provider, take note of the `Client ID` and `Client Secret`, you'll need to give them to ArgoCD in the _ArgoCD Configuration_ field.

			`### Step 2 - Application creation`

			`Create a new _Application_ (under _Applications/Applications_) with these settings:`

			`- Name: ArgoCD`
			`- Provider: ArgoCD`
			`- Slug: argocd`
website/integrations: Update ArgoCD documentation (#6108) * website/integrations: Update ArgoCD documentation * Update website/integrations/services/argocd/index.md Co-authored-by: Jens L. <jens@beryju.org> Signed-off-by: acelinkio <31336038+acelinkio@users.noreply.github.com> --------- Signed-off-by: acelinkio <31336038+acelinkio@users.noreply.github.com> Co-authored-by: Jens L. <jens@beryju.org> 2023-07-06 22:38:32 +00:00			`- Launch URL: http://argocd.company/auth/login`
website/integrations: Add ArgoCD documentation (#3553) * Add ArgoCD documentation * fix naming and email verification configuration * specify Slug field and update url to specify it has to match the slug value * update preparation note * minor consistency fixes Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Co-authored-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-09-30 19:20:40 +00:00
			`### Step 3 - ArgoCD Admin Group creation`

			`Create a new _Group_ (under _Directory/Groups_) that'll be used as the admin group for ArgoCD (if you already have an "admin" group, you can skip this part!)`

			`- Name: ArgoCD Admins`
			`- Members: Add your user and/or any user that should be an ArgoCD admin`

			`## ArgoCD Configuration`

			`:::note`
			`We're not going to use the oidc config, but instead the "dex", oidc doesn't allow ArgoCD CLI usage while DEX does.`
			`:::`

			`### Step 1 - Add the OIDC Secret to ArgoCD`

			In the `argocd-secret` Secret, add the following value to the `data` field:

			```yaml
			`dex.authentik.clientSecret: <base 64 encoded value of the Client Secret from the Provider above>`
			```

			`### Step 2 - Configure ArgoCD to use authentik as OIDC backend`

			In the `argocd-cm` ConfigMap, add the following to the data field :

			```yaml
			`dex.config: \|`
			`connectors:`
			`- config:`
			`issuer: http://authentik.company/application/o/<application slug defined in step 2>/`
			`clientID: <client ID from the Provider above>`
			`clientSecret: $dex.authentik.clientSecret`
			`insecureEnableGroups: true`
			`scopes:`
			`- openid`
			`- profile`
			`- email`
			`name: authentik`
			`type: oidc`
			`id: authentik`
			```

			### Step 3 - Map the `ArgoCD Admins` group to ArgoCD's admin role

			In the `argocd-rbac-cm` ConfigMap, add the following to the data field (or create it if it's not already there) :

			```yaml
			`policy.csv: \|`
			`g, ArgoCD Admins, role:admin`
			```

			If you already had an "admin" group and thus didn't create the `ArgoCD Admins` one, just replace `ArgoCD Admins` with your existing group name.

			`Apply all the modified manifests, and you should be able to login to ArgoCD both through the UI and the CLI.`