automation-suite
2023.10
false
UiPath logo, featuring letters U and I in white
Automation Suite on Linux Installation Guide
Last updated Nov 21, 2024

Enabling SSO for ArgoCD

Overview

To enable SSO authentication, you must use the uipathctl command-line tool.

Preparing the configuration files

You must generate the RBAC file and the Dex configuration file before enabling SSO for ArgoCD.

The RBAC file

The RBAC file contains access rules.

For details on the built-in role definitions, see the ArgoCD documentation.

For details on the ArgoCD account types and their permissions, see Managing the cluster in ArgoCD.

We recommend using these roles when defining your groups, but you can create your own set of permissions.

Configuring the RBAC file

  1. Create a file named policy.csv by running the following command:
    uipathctl config argocd generate-rbacuipathctl config argocd generate-rbac
  2. Add the following content to the policy.csv file and save it:
    p, role:uipath-sync, applications, get, */*, allow
    p, role:uipath-sync, applications, sync, */*, allow
    g, argocdro, role:uipath-syncp, role:uipath-sync, applications, get, */*, allow
    p, role:uipath-sync, applications, sync, */*, allow
    g, argocdro, role:uipath-sync
  3. Associate your RBAC groups with the built-in admin role and the UiPath® argocdro read-only role, by appending the following lines to the policy.csv RBAC file:
    g, <your_ldap_readonly_group_name>, role:uipath-sync
    g, <your_ldap_admin_group_name>, role:adming, <your_ldap_readonly_group_name>, role:uipath-sync
    g, <your_ldap_admin_group_name>, role:admin
  4. Save the updated policy.csv RBAC file.

Example:

If your LDAP group for ArgoCD administrators is Administrators and the LDAP group for ArgoCD read-only users is Readers, the RBAC file should be similar to the one in the following example:

p, role:uipath-sync, applications, get, */*, allow
p, role:uipath-sync, applications, sync, */*, allow
g, argocdro, role:uipath-sync
g, Readers, role:uipath-sync
g, Administrators, role:adminp, role:uipath-sync, applications, get, */*, allow
p, role:uipath-sync, applications, sync, */*, allow
g, argocdro, role:uipath-sync
g, Readers, role:uipath-sync
g, Administrators, role:admin

For more advanced use cases, the following example shows the default RBAC file:

# Built-in policy which defines two roles: role:readonly and role:admin,
# and additionally assigns the admin user to the role:admin role.
# There are two policy formats:
# 1. Applications, logs, and exec (which belong to a project):
# p, <user/group>, <resource>, <action>, <project>/<object>
# 2. All other resources:
# p, <user/group>, <resource>, <action>, <object>

p, role:readonly, applications, get, */*, allow
p, role:readonly, certificates, get, *, allow
p, role:readonly, clusters, get, *, allow
p, role:readonly, repositories, get, *, allow
p, role:readonly, projects, get, *, allow
p, role:readonly, accounts, get, *, allow
p, role:readonly, gpgkeys, get, *, allow
p, role:readonly, logs, get, */*, allow

p, role:admin, applications, create, */*, allow
p, role:admin, applications, update, */*, allow
p, role:admin, applications, delete, */*, allow
p, role:admin, applications, sync, */*, allow
p, role:admin, applications, override, */*, allow
p, role:admin, applications, action/*, */*, allow
p, role:admin, applicationsets, get, */*, allow
p, role:admin, applicationsets, create, */*, allow
p, role:admin, applicationsets, update, */*, allow
p, role:admin, applicationsets, delete, */*, allow
p, role:admin, certificates, create, *, allow
p, role:admin, certificates, update, *, allow
p, role:admin, certificates, delete, *, allow
p, role:admin, clusters, create, *, allow
p, role:admin, clusters, update, *, allow
p, role:admin, clusters, delete, *, allow
p, role:admin, repositories, create, *, allow
p, role:admin, repositories, update, *, allow
p, role:admin, repositories, delete, *, allow
p, role:admin, projects, create, *, allow
p, role:admin, projects, update, *, allow
p, role:admin, projects, delete, *, allow
p, role:admin, accounts, update, *, allow
p, role:admin, gpgkeys, create, *, allow
p, role:admin, gpgkeys, delete, *, allow
p, role:admin, exec, create, */*, allow

g, role:admin, role:readonly
g, admin, role:admin# Built-in policy which defines two roles: role:readonly and role:admin,
# and additionally assigns the admin user to the role:admin role.
# There are two policy formats:
# 1. Applications, logs, and exec (which belong to a project):
# p, <user/group>, <resource>, <action>, <project>/<object>
# 2. All other resources:
# p, <user/group>, <resource>, <action>, <object>

p, role:readonly, applications, get, */*, allow
p, role:readonly, certificates, get, *, allow
p, role:readonly, clusters, get, *, allow
p, role:readonly, repositories, get, *, allow
p, role:readonly, projects, get, *, allow
p, role:readonly, accounts, get, *, allow
p, role:readonly, gpgkeys, get, *, allow
p, role:readonly, logs, get, */*, allow

p, role:admin, applications, create, */*, allow
p, role:admin, applications, update, */*, allow
p, role:admin, applications, delete, */*, allow
p, role:admin, applications, sync, */*, allow
p, role:admin, applications, override, */*, allow
p, role:admin, applications, action/*, */*, allow
p, role:admin, applicationsets, get, */*, allow
p, role:admin, applicationsets, create, */*, allow
p, role:admin, applicationsets, update, */*, allow
p, role:admin, applicationsets, delete, */*, allow
p, role:admin, certificates, create, *, allow
p, role:admin, certificates, update, *, allow
p, role:admin, certificates, delete, *, allow
p, role:admin, clusters, create, *, allow
p, role:admin, clusters, update, *, allow
p, role:admin, clusters, delete, *, allow
p, role:admin, repositories, create, *, allow
p, role:admin, repositories, update, *, allow
p, role:admin, repositories, delete, *, allow
p, role:admin, projects, create, *, allow
p, role:admin, projects, update, *, allow
p, role:admin, projects, delete, *, allow
p, role:admin, accounts, update, *, allow
p, role:admin, gpgkeys, create, *, allow
p, role:admin, gpgkeys, delete, *, allow
p, role:admin, exec, create, */*, allow

g, role:admin, role:readonly
g, admin, role:admin

The Dex configuration file

The Dex configuration file contains the parameters required to configure SSO for ArgoCD.

Note: If you already have an LDAP connector file (ldap_connector.yaml), skip to Enabling the SSO for ArgoCD.

To configure SSO through LDAP, take the following steps:

  1. Generate the LDAP template file by running the following command. The connector template file is generated in the same directory you run the command.
    uipathctl config argocd generate-dex-config -t ldapuipathctl config argocd generate-dex-config -t ldap
  2. Copy the output which begins at --- and save it as ldap_connector.yaml.
    Example of an ArgoCD configuration file:
    ---
    connectors:
      - type: ldap
        # Required field for connector id.
        id: ldap
        # Required field for connector name.
        name: OpenLDAP
        config:
          host: openldap:389
          insecureNoSSL: true
          startTLS: false
          bindDN: cn=admin,dc=example,dc=org
          bindPW: adminpassword
          usernamePrompt: Email Address
          userSearch:
            baseDN: ou=People,dc=example,dc=org
            filter: "(objectClass=person)"
            username: mail
            idAttr: DN
            emailAttr: mail
            nameAttr: cn
          # Group search queries for groups given a user entry.
          groupSearch:
            baseDN: ou=Groups,dc=example,dc=org
            filter: "(objectClass=groupOfNames)"
            userMatchers:
              - userAttr: DN
                groupAttr: member
            nameAttr: cn---
    connectors:
      - type: ldap
        # Required field for connector id.
        id: ldap
        # Required field for connector name.
        name: OpenLDAP
        config:
          host: openldap:389
          insecureNoSSL: true
          startTLS: false
          bindDN: cn=admin,dc=example,dc=org
          bindPW: adminpassword
          usernamePrompt: Email Address
          userSearch:
            baseDN: ou=People,dc=example,dc=org
            filter: "(objectClass=person)"
            username: mail
            idAttr: DN
            emailAttr: mail
            nameAttr: cn
          # Group search queries for groups given a user entry.
          groupSearch:
            baseDN: ou=Groups,dc=example,dc=org
            filter: "(objectClass=groupOfNames)"
            userMatchers:
              - userAttr: DN
                groupAttr: member
            nameAttr: cn
    Example of an Active Directory LDAP connector file:
    ---
    connectors:
    - id: ldap
      name: ActiveDirectory
      type: ldap
      config:
        bindDN: cn=admin,cn=Users,dc=example,dc=local
        bindPW: "<admins's password>"
        groupSearch:
          baseDN: dc=example,dc=local
          filter: "(objectClass=group)"
          nameAttr: cn
          userMatchers:
            - userAttr: distinguishedName
              groupAttr: member
        host: "ldaphost:389"
        insecureNoSSL: true
        insecureSkipVerify: true
        startTLS: false
        userSearch:
          baseDN: cn=Users,dc=example,dc=local
          emailAttr: userPrincipalName
          filter: (objectClass=person)
          idAttr: DN
          nameAttr: cn
          username: userPrincipalName
        usernamePrompt: Email Address---
    connectors:
    - id: ldap
      name: ActiveDirectory
      type: ldap
      config:
        bindDN: cn=admin,cn=Users,dc=example,dc=local
        bindPW: "<admins's password>"
        groupSearch:
          baseDN: dc=example,dc=local
          filter: "(objectClass=group)"
          nameAttr: cn
          userMatchers:
            - userAttr: distinguishedName
              groupAttr: member
        host: "ldaphost:389"
        insecureNoSSL: true
        insecureSkipVerify: true
        startTLS: false
        userSearch:
          baseDN: cn=Users,dc=example,dc=local
          emailAttr: userPrincipalName
          filter: (objectClass=person)
          idAttr: DN
          nameAttr: cn
          username: userPrincipalName
        usernamePrompt: Email Address
  3. Update the LDAP connector file with the required information and save it. We recommend using LDAPS.

Enabling SSO for ArgoCD

After preparing the RBAC and the Dex configuration file, you can enable SSO for ArgoCD:

  1. Update the cluster_config.json file with the following parameters:

    1. fabric.argocd_dex_config_file - enter the path to the previously created Dex configuration file.
    2. fabric.argocd_rbac_config_file - enter the path to the previously created RBAC file.
  2. Rerun the fabric installer:

    ./install-uipath.sh -i cluster_config.json -f -o output.json --accept-license-agreement./install-uipath.sh -i cluster_config.json -f -o output.json --accept-license-agreement

  • Overview
  • Preparing the configuration files
  • The RBAC file
  • The Dex configuration file
  • Enabling SSO for ArgoCD

Was this page helpful?

Get The Help You Need
Learning RPA - Automation Courses
UiPath Community Forum
Uipath Logo White
Trust and Security
© 2005-2024 UiPath. All rights reserved.