想要将 argo 服务器与 keycloak 集成
Posted
技术标签:
【中文标题】想要将 argo 服务器与 keycloak 集成【英文标题】:Want to integrate argo server with keycloak 【发布时间】:2021-05-01 05:24:27 【问题描述】:我也尝试过隐身但同样的问题存在。
目前我已经添加到 server-deployment.yaml args: - 服务器 - --auth-mode - sso
在 values.yaml 中
sso:
# #SSO configuration when SSO is specified as a server auth mode.
# #All the values are requied. SSO is activated by adding --auth-mode=sso
# #to the server command line.
#
# #The root URL of the OIDC identity provider.
issuer: http://<keycloak_ip>/auth/realms/demo
# #Name of a secret and a key in it to retrieve the app OIDC client ID from.
clientId:
name: argo
key: client-id
# #Name of a secret and a key in it to retrieve the app OIDC client secret from.
clientSecret:
name: "argo-server-sso"
key: client-secret
# # The OIDC redirect URL. Should be in the form /oauth2/callback.
redirectUrl: http:///argo/oauth2/callback
在 keycloak ui 中,我创建了客户端和客户端凭据。
kubectl create secret generic "argo-server-sso" --from-literal=client-secret=9a9c60ba-647d-480c-b6fa-82c19caad26a
kubectl create secret generic "argo" --from-literal=client-id=argo
点击 argo 服务器 url 后,我需要手动点击登录选项,但在出现 keycloak 页面后,会再次弹出“登录失败:未授权” 服务器日志:
kubectl logs argo-server-5c7f8c5cbb-9fcqk
time="2021-01-20T12:06:26.876Z" level=info authModes="[sso]" baseHRef=/ managedNamespace= namespace=default secure=false
time="2021-01-20T12:06:26.877Z" level=warning msg="You are running in insecure mode. Learn how to enable transport layer security: https://argoproj.github.io/argo/tls/"
time="2021-01-20T12:06:26.877Z" level=info msg="config map" name=argo-workflow-controller-configmap
time="2021-01-20T12:06:28.318Z" level=info msg="SSO configuration" clientId="argo client-id " issuer="http://10.xx.xx.xx:xxxx/auth/realms/demo" redirectUrl="http://xx/argo/oauth2/callback"
time="2021-01-20T12:06:28.318Z" level=info msg="SSO enabled"
time="2021-01-20T12:06:28.322Z" level=info msg="Starting Argo Server" instanceID= version=v2.12.2
time="2021-01-20T12:06:28.322Z" level=info msg="Creating event controller" operationQueueSize=16 workerCount=4
time="2021-01-20T12:06:28.323Z" level=info msg="Argo Server started successfully on http://localhost:2746"
time="2021-01-20T12:07:21.990Z" level=info msg="finished unary call with code Unauthenticated" error="rpc error: code = Unauthenticated desc = token not valid for running mode" grpc.code=Unauthenticated grpc.method=GetVersion grpc.service=info.InfoService grpc.start_time="2021-01-20T12:07:21Z" grpc.time_ms=0.379 span.kind=server system=grpc
time="2021-01-20T12:07:22.009Z" level=info msg="finished unary call with code Unauthenticated" error="rpc error: code = Unauthenticated desc = token not valid for running mode" grpc.code=Unauthenticated grpc.method=ListWorkflowTemplates grpc.service=workflowtemplate.WorkflowTemplateService grpc.start_time="2021-01-20T12:07:22Z" grpc.time_ms=0.075 span.kind=server system=grpc
【问题讨论】:
有谁知道这里指的是什么“运行模式”? 是的@lindhe!阅读这一行,你会明白的:github.com/argoproj/argo-helm/blob/… 太棒了。谢谢! 【参考方案1】:我成功地将 ArgoCD 与 Keycloak 集成。
您有 1 个清晰/可见的问题:Yaml 缩进错误
确保按照 helm chart 中的默认值保持正确的缩进: https://github.com/argoproj/argo-helm/blob/1aea2c41798972ff0077108f926bb9095f3f9deb/charts/argo/values.yaml#L255-L283
因此,您的价值观应该是:
(假设您的 argo 使用主机名 workflows.company.com 服务)
server:
extraArgs:
- --auth-mode=sso
sso:
issuer: http://<keycloak_ip>/auth/realms/demo
clientId:
name: argo
key: client-id
clientSecret:
name: "argo-server-sso"
key: client-secret
redirectUrl: https://workflows.company.com/argo/oauth2/callback
现在从 keycloak 端,并在您的客户端下,确保根据您的入口主机名填写有效重定向 URL:
【讨论】:
以上是关于想要将 argo 服务器与 keycloak 集成的主要内容,如果未能解决你的问题,请参考以下文章
如何将 Keycloak 与 Spring 集成(无引导)?
将Flutter应用程序的Facebook身份验证与Keycloak服务集成在一起
Keycloak 与 Spring boot 集成,使用自定义登录页面(在没有 keycloak 的默认登录页面的情况下登录)