Security — ArgoCD
The tdp-argo chart supports LDAP authentication via Dex (tdp-argo.dex.enabled: true), with bind credentials in argocd-secret (keys dex.ldap.bindDN and dex.ldap.bindPW), dex.config in tdp-argo.configs.cm, and RBAC in tdp-argo.rbacConfig.
1. LDAP credentials in the Secret
With tdp-argo.configs.secret.createSecret: true, you can define extras rendered into argocd-secret:
tdp-argo:
configs:
secret:
createSecret: true
extra:
dex.ldap.bindDN: "uid=ldap.user,cn=users,cn=accounts,dc=example,dc=com"
dex.ldap.bindPW: "<ldap-bind-password>"
Do not commit passwords. Use private values files, secure CI, or external secrets management.
2. Enable Dex and dex.config
tdp-argo:
configs:
cm:
url: https://<host>
dex.config: |
connectors:
- type: ldap
id: ldap
name: LDAP
config:
host: "<ldap-host>:389"
insecureNoSSL: true
insecureSkipVerify: true
bindDN: "$dex.ldap.bindDN"
bindPW: "$dex.ldap.bindPW"
userSearch:
baseDN: "cn=users,cn=accounts,dc=example,dc=com"
filter: "(objectClass=person)"
username: uid
idAttr: uid
emailAttr: mail
nameAttr: givenName
secret:
createSecret: false
dex:
enabled: true
Adjust host, baseDN, and SSL flags according to your directory. When createSecret: false, create and maintain argocd-secret by other means, with the keys referenced in dex.config.
3. RBAC for LDAP groups
tdp-argo:
rbacConfig:
policy.default: role:readonly
policy.csv: |
g:devops-admins, role:admin
g:data-platform, role:admin
g:data-read, role:readonly
p, role:ldap-user, applications, *, default/<namespace>, get
p, role:ldap-user, applications, *, default/<namespace>, sync
p, role:ldap-user, applications, *, default/<namespace>, override
p, role:ldap-user, clusters, *, *, get
g, *, role:ldap-user
Replace <namespace> with the Argo CD logical project/namespace you are using.
Installation or upgrade
helm upgrade --install <release> \
oci://registry.tecnisys.com.br/tdp/charts/tdp-argo \
-n <namespace> --create-namespace
Login
- UI: access
https://<host>and use "LOG IN VIA LDAP" (local login/password is only for local accounts). - CLI:
argocd login <host> --sso
Troubleshooting
| Problem | Probable cause |
|---|---|
no such host for argocd-dex-server | Dex disabled — tdp-argo.dex.enabled: true |
config referenced key does not exist in secret | Keys missing in argocd-secret |
| Invalid LDAP | Bind DN/password, connectivity, userSearch |
| User has no permission | rbacConfig.policy.csv |
kubectl logs -n <namespace> deployment/<argocd-server-deployment> -f
Test LDAP from the Dex pod (example with ldapsearch):
kubectl exec -n <namespace> deployment/<argocd-dex-deployment> -- \
ldapsearch -x -H ldap://<ldap-host>:389 \
-D "<bind-dn>" \
-w "<password>" \
-b "<user-search-base>" \
"(uid=<username>)"
Replace deployment names with the actual resources (kubectl get deploy -n <namespace>).