ks-devops icon indicating copy to clipboard operation
ks-devops copied to clipboard
verified publisher icon kubesphere

Use ldap to sync account between ks and argocd

Open chilianyi opened this issue 3 years ago • 1 comments

What is version of KubeSphere DevOps has the issue?

v3.3.1

How did you install the Kubernetes? Or what is the Kubernetes distribution?

kubekey

Describe this feature

Like jenkins, use ldap to sync account between kubesphere and argocd

Create account in ks, able to sign in argocd with the username and password.

Additional information

No response

chilianyi avatar Nov 29 '22 06:11 chilianyi

Try the following steps to complete the ldap sync.

  1. create dex ldap config-map
kubectl -n argocd edit configmaps argocd-cm

patch kubesphere ldap config

  • url The value of url is the domain name redirected after successful ldap login, please make sure it can be accessed image 
apiVersion: v1
metadata:
data:
  url : https://172.37.88.21:30809/
  dex.config: |-
    connectors:
    - type: ldap
      name: ks ldap
      id: ldap
      config:
        host: openldap.kubesphere-system.svc
        insecureNoSSL: true
        insecureSkipVerify: true
        bindDN: "$dex.ldap.bindDN"
        bindPW: "$dex.ldap.bindPW"
        usernamePrompt: Username
        userSearch:
          baseDN: "ou=Users,dc=kubesphere,dc=io"
          filter: "(objectClass=person)"
          username: uid
          idAttr: uid
          emailAttr: uid
          nameAttr: cn
        groupSearch:
          baseDN: "ou=Groups,dc=kubesphere,dc=io"
          filter: "(objectClass=groupOfUniqueNames)"
          userAttr: DN
          groupAttr: uniqueMember
          nameAttr: cn
  1. patch DN and PW secret
kubectl -n argocd patch secrets argocd-secret --patch "{\"data\":{\"dex.ldap.bindPW\":\"$(echo admin | base64)\"}}"
kubectl -n argocd patch secrets argocd-secret --patch "{\"data\":{\"dex.ldap.bindDN\":\"$(echo cn=admin,dc=kubesphere,dc=io| base64 )\"}}"
  1. update rbac role
kubecl -n argocd edit  configmap argocd-rbac-cm

update kubesphere admin role

kind: ConfigMap
apiVersion: v1
metadata:
  name: argocd-rbac-cm
  namespace: argocd
  labels:
    app.kubernetes.io/component: server
    app.kubernetes.io/instance: devops
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: argocd-rbac-cm
    app.kubernetes.io/part-of: argocd
    helm.sh/chart: argo-cd-4.4.0
  annotations:
    meta.helm.sh/release-name: devops
    meta.helm.sh/release-namespace: argocd
data:
  policy.csv: |
    g, [email protected], role:admin
  policy.default: 'role:readonly'
  scopes: '[email, group]'
  1. restart the dex-server and argocd-server
kubectl rollout  -n argocd restart deployment devops-argocd-server devops-argocd-dex-server

oepn arogcd-server

image

use kubesphere account login argocd

image

login success

image

Feeeenng avatar Sep 08 '23 12:09 Feeeenng