ArgoCD SSO 구성 가이드(Gitlab)

Overview

지난 포스팅에서는 GCP OAuth를 기반으로 ArgoCD의 SSO(Single Sign-On)를 구성해보았다면,
이번 글에서는 GitLab OAuth를 통해 ArgoCD SSO를 구성하는 방법을 정리해본다.

 

ArgoCD는 Dex라는 인증 프록시를 통해 다양한 OAuth2 제공자(Google, GitHub, GitLab 등)와 연동이 가능하다.
기업이나 개인이 GitLab을 자체 호스팅하거나 GitLab.com을 사용하는 경우,
GitLab 계정을 기반으로 ArgoCD에 로그인/인증/권한 제어까지 통합 관리할 수 있어 SSO 설정은 매우 유용하다.

 

 

이번 실습에서는 다음을 다룬다.

• GitLab OAuth 애플리케이션 생성
• GitLab에서 SSO를 위한 OAuth 설정
• ArgoCD의 dex.config, RBAC, secrets 구성 방법
• Helm을 이용한 ArgoCD 재배포 및 Dex 서버 재시작
• 실제 로그인 시 OAuth 인증 흐름 확인

 

Google OAuth 설정과 비교해 GitLab은 그룹 기반 권한 제어(RBAC)가 조금 더 직관적이므로
GitLab CI/CD와 ArgoCD를 함께 사용하는 사용자에게 특히 적합한 구성이다.

 

 

 

 

 

📅 관련 글

2023.05.16 - [IaC/CI CD Tool] - ArgoCD란?

2023.08.09 - [IaC/CI CD Tool] - ArgoCD 설치 AWS & GCP

2023.10.02 - [IaC/CI CD Tool] - ArgoCD ApplicationSet이란? (작성 방법)

2024.02.02 - [IaC/CI CD Tool] - Argo Workflow란?

2025.03.04 - [IaC/CI CD Tool] - ArgoCD Slack Notification 설정 방법

2024.04.09 - [IaC/CI CD Tool] - ArgoCD SSO 구성 가이드(GCP Oauth)

 

 

 

 

---

 

 

 

1. Gitlab App 생성

• GitLab에서 Applications 메뉴로 이동 (Admin Area > Applications)
• 새 애플리케이션 생성:
• Name: Argo CD
• Redirect URI: https://<argocd urI>/api/dex/callback
• Scopes 선택:
  • read_user
  • openid
  • profile
  • email

 

• Concentration
  Appliaction ID와 Secret 값이 중요하다.
  • Application ID (Client ID)
  • Secret (Client Secret)

 

 

2. GitLab 설치

ArgoCD Installation Guide

This guide describes how to install and configure ArgoCD in a Kubernetes cluster.

Prerequisites

• Kubernetes cluster
• Helm 3
• Ingress controller (nginx)
• Domain for ArgoCD (e.g., argocd.somaz.link)

Installation Steps

1. Prepare Helm Chart

# Clone repository
git clone https://github.com/argoproj/argo-helm.git
# Add Helm repository
helm repo add argo https://argoproj.github.io/argo-helm
# Copy and prepare files
cp -r argo-helm/charts/argo-cd .
cd argo-cd/
mkdir -p values
cp values.yaml values/mgmt.yaml
# Update dependencies
helm dependency update
# Clean up
rm -rf argo-helm

2. Configure SSH Known Hosts

Get the SSH known hosts keys for your Git repositories:

ssh-keyscan gitlab.your-domain.com

3. Configure values.yaml

Create values/mgmt.yaml with the following configuration (adjust according to your needs):

global:
  domain: argocd.your-domain.com

configs:
  params:
    create: true
    server.insecure: true # TODO: If you want to use SSL, please set this to false

  ssh:
    extraHosts: |
      # Add your SSH known hosts here
      gitlab.concrit.us ssh-rsa AAAAB3N...
      gitlab.concrit.us ecdsa-sha2-nistp256...
      gitlab.concrit.us ssh-ed25519 AAAA..

controller:
  replicas: 1

dex:
  enabled: true

redis:
  enabled: true

server:
  replicas: 1
  ingress:
    enabled: true
    annotations:
      nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
      nginx.ingress.kubernetes.io/ssl-passthrough: "false"
    ingressClassName: "nginx"
    path: /
    pathType: Prefix

repoServer:
  replicas: 1

applicationSet:
  replicas: 1

notifications:
  enabled: true

4. Install with Helm

# Validate configuration
helm lint --values ./values/mgmt.yaml

# Preview installation (optional)
helm install argocd . -n argocd -f ./values/mgmt.yaml --create-namespace --dry-run --debug

# Install
helm install argocd . -n argocd -f ./values/mgmt.yaml --create-namespace

# Upgrade (if needed)
helm upgrade argocd . -n argocd -f ./values/mgmt.yaml

5. Verify Installation

kubectl get po -n argocd

6. Get Initial Admin Password

kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d

Post-Installation Configuration

1. Install ArgoCD CLI

brew install argocd

2. Login to ArgoCD

argocd login argocd.your-domain.com

3. Add Cluster to ArgoCD

argocd cluster add your-context@your-cluster --name your-cluster-name --system-namespace argocd

4. Configure CI/CD User

1. Create a CI/CD user account in your Git provider
2. Generate SSH key for CI/CD:

ssh-keygen -t rsa -b 4096 -C "cicd@your-domain.com" -f ~/.ssh/id_rsa_cicd

3. Add the public key to the CI/CD user's SSH keys in your Git provider

5. Create Repository Secret

Create a secret for Git repository access:

apiVersion: v1
kind: Secret
metadata:
  name: gitlab-appset-repo-secret
  namespace: argocd
  labels:
    argocd.argoproj.io/secret-type: repository
stringData:
  type: git
  url: git@gitlab.your-domain.com:your-group/your-repo.git
  sshPrivateKey: |
    -----BEGIN OPENSSH PRIVATE KEY-----
    [Your private key content here]
    -----END OPENSSH PRIVATE KEY-----

Apply the secret:

kubectl apply -f gitlab-appset-repo-secret.yaml -n argocd

Key Features

• Web UI for application deployment and management
• SSO integration with Dex
• Git repository integration
• Automated sync and deployment
• Application health monitoring
• Notifications support

Security Notes

• Change the default admin password immediately after installation
• Configure SSL/TLS for secure access
• Review and update SSH known hosts as needed
• Consider enabling additional security features based on your requirements
• Store SSH keys and secrets securely
• Use dedicated CI/CD accounts with limited permissions
• Regularly rotate SSH keys and credentials
• Monitor repository access and activities

References

• https://argo-cd.readthedocs.io/en/stable/getting_started/
• https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd
• https://argo-cd.readthedocs.io/en/stable/operator-manual/security/
• https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/

view raw gistfile1.md hosted with ❤ by GitHub

 

 

 

3. GitLab SSO 설정

 

values/mgmt.yaml

global:
  # -- Default domain used by all components
  ## Used for ingresses, certificates, SSO, notifications, etc.
  domain: argocd.somaz.link

configs:
  cm:
    timeout.reconciliation: 60s
    # Add account settings
    dex.config: |
      connectors:
        - type: gitlab
          id: gitlab
          name: GitLab
          config:
            baseURL: <gitlab url> # e.g http://gitlab.somaz.link 
            clientID: <application id>
            clientSecret: <secret>
            redirectURI: https://<argocd url>/api/dex/callback
            groups:
              - server
  params:
    create: true
    server.insecure: true
  # SSH known hosts for Git repositories
  ## Ref: https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#ssh-known-host-public-keys
  ssh:
    # -- Additional known hosts for private repositories
    extraHosts: |
      gitlab.concrit.us ssh-rsa AAAAB3N...
      gitlab.concrit.us ecdsa-sha2-nistp256...
      gitlab.concrit.us ssh-ed25519 AAAA..
  # Add RBAC settings
  rbac:
    create: true
    policy.csv: |
      p, role:org-admin, applications, *, */*, allow
      p, role:org-admin, clusters, get, *, allow
      p, role:org-admin, repositories, *, *, allow
      p, role:org-admin, projects, get, *, allow
      p, role:org-admin, logs, get, *, allow
      p, role:org-admin, exec, create, */*, allow
      
      # GitLab 그룹 멤버에게 admin 권한 부여
      g, <group>, role:org-admin # gitlab group
  
  secrets:
    # GitLab SSO Configuration
    dex.gitlab.clientId: "<application id>"
    dex.gitlab.clientSecret: "<secret>"

• SSO 설정 시 중요한 값들
  • dex.config : 인증 설정
  • rbac : 권한 설정

 

 

Helm Upgrade 후에 Dex Server가 재시작 되지 않았다면 한번더 restart 해준다.

# helm upgrade
helm upgrade argocd . -n argocd -f ./values/mgmt.yaml

# Dex sever Restart
k rollout restart -n argocd deployment argocd-dex-server

 

 

처음 로그인 시에는 동의페이지가 뜬다.

 

 

Login 후 User Info를 확인해보면 아래와 같이 나올 것이다. 

 

 

마무리

🔔 GitLab ArgoCD SSO 설정 요약

• GitLab Application에서 clientId(=Application ID)와 clientSecret(=Secret)을 발급받아야 한다.
• ArgoCD values.yaml에 Dex connector와 RBAC 설정이 필요하다.
• groups와 role 매핑을 통해 권한을 관리할 수 있다.

 

 

---

Reference

1. ArgoCD Dex GitLab Connector 공식 가이드
   https://dexidp.io/docs/connectors/gitlab/
2. ArgoCD SSO 구성 공식 문서 (Dex 기반)
   https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/sso/
3. GitLab OAuth2 Applications 공식 가이드
   https://docs.gitlab.com/ee/integration/oauth_provider.html
4. ArgoCD RBAC 정책 가이드
   https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/