After the Red Hat OpenShift GitOps Operator is installed, Argo CD automatically creates a user with admin permissions. To manage multiple users, cluster administrators can use Argo CD to configure Single Sign-On (SSO).

Enabling the Dex OpenShift OAuth Connector

Dex uses the users and groups defined within OpenShift by checking the OAuth server provided by the platform. The following example shows the properties of Dex along with example configurations:

apiVersion: argoproj.io/v1alpha1
kind: ArgoCD
  name: example-argocd
    example: openshift-oauth
    openShiftOAuth: true (1)
     - default
    defaultPolicy: 'role:readonly'
    policy: |
      g, cluster-admins, role:admin
    scopes: '[groups]'
1 The openShiftOAuth property triggers the Operator to automatically configure the built-in OpenShift OAuth server when the value is set to true.
2 The groups property allows users of the specified group(s) to log in.
3 The RBAC policy property assigns the admin role in the Argo CD cluster to users in the OpenShift cluster-admins group.

Mapping users to specific roles

Argo CD cannot map users to specific roles if they have a direct ClusterRoleBinding role. You can manually change the role as role:admin on SSO through OpenShift.

  1. Create a group named cluster-admins.

    $ oc adm groups new cluster-admins
  2. Add the user to the group.

    $ oc adm groups add-users cluster-admins USER
  3. Apply the cluster-admin ClusterRole to the group:

    $ oc adm policy add-cluster-role-to-group cluster-admin cluster-admins

Disabling Dex

Dex is installed by default for all the Argo CD instances created by the Operator. You can disable Dex.

  • Set the environmental variable DISABLE_DEX to true in the YAML resource of the Operator:

        - name: DISABLE_DEX
          value: "true"