如何将 ArgoCD 与单点登录(SSO)系统无缝对接配置?

服务2026-04-09 08:113阅读
摘要:> ArgoCD 使用 **SAML** 协议接入 SSO ## 一、飞连应用配置 在飞连(FeilianSealSuite)应用中进行如下配置: | 配置项 | 值 | | | | | **实体 ID** | `h
> ArgoCD 使用 **SAML** 协议接入 SSO --- ## 一、飞连应用配置 在飞连(Feilian/SealSuite)应用中进行如下配置: | 配置项 | 值 | |--------|-----| | **实体 ID** | `https://argocd.example.com/api/dex` | | **单点登录 URL** | `https://argocd.example.com/api/dex/callback` | | **单点登录 Binding** | `urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST` | | **Name ID Format** | `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress` | --- ## 二、ArgoCD Dex 服务配置 ### 2.1 编辑 ConfigMap ```bash kubectl edit configmap argocd-cm -n argocd ``` ### 2.2 完整配置示例 ```yaml apiVersion: v1 kind: ConfigMap data: url: https://argocd.example.com dex.config: | connectors: - type: saml id: saml name: Feilian config: ssoURL: https://ltp.sealsuite.com/api/idp/sso ssoIssuer: https://ltp.sealsuite.com/api/idp/metadata entityIssuer: https://argocd.example.com/api/dex redirectURI: https://argocd.example.com/api/dex/callback caData: | LS0tLS1CRUdJTi...(Base64 编码的 CA 证书)... usernameAttr: email emailAttr: email ``` ### 2.3 关键参数说明 | 参数 | 说明 | |------|------| | `ssoURL` | IdP 单点登录 URL | | `ssoIssuer` | IdP 元数据 URL | | `entityIssuer` | ArgoCD 实体 ID | | `redirectURI` | 回调地址 | | `caData` | IdP CA 证书(Base64 编码) | | `usernameAttr` | 用户名属性 | | `emailAttr` | 邮箱属性 | --- ## 三、验证配置 ### 3.1 检查 Dex 服务状态 ```bash kubectl -n argocd logs deploy/argocd-dex-server ``` ### 3.2 正常日志输出示例 ```json {"level":"info","msg":"ArgoCD Dex Server is starting","namespace":"argocd","time":"2025-05-14T02:48:27Z","version":"v3.0.0+e98f483"} {"level":"info","msg":"Generating self-signed TLS certificate for this session","time":"2025-05-14T02:48:27Z"} {"level":"info","msg":"Starting configmap/secret informers","time":"2025-05-14T02:48:27Z"} {"level":"INFO","msg":"config connector","connector_id":"saml"} {"level":"INFO","msg":"listening on","server":"https","address":"0.0.0.0:5556"} {"level":"INFO","msg":"listening on","server":"grpc","address":"0.0.0.0:5557"} ``` ### 3.3 验证点检查 - `config connector","connector_id":"saml"` - 确认 SAML 连接器已加载 - `listening on","server":"https"` - 确认 HTTPS 服务已启动 --- ## 四、RBAC 配置(可选) ### 4.1 配置用户角色映射 编辑 `argocd-rbac-cm` ConfigMap: ```yaml apiVersion: v1 kind: ConfigMap metadata: name: argocd-rbac-cm namespace: argocd data: policy.csv: | g, admin@example.com, role:admin g, dev@example.com, role:readonly policy.default: role:readonly ``` --- ## 五、常见问题 ### 5.1 SAML 认证失败 1. 检查 CA 证书是否正确 2. 确认 `entityIssuer` 与飞连配置的实体 ID 一致 3. 检查时间同步(NTP) ### 5.2 用户登录后没有权限 配置 RBAC 角色映射,将用户邮箱映射到相应角色。 ### 5.3 回调地址错误 确保 `redirectURI` 与飞连应用配置的单点登录 URL 一致。 --- *文档整理日期:2025-05*
标签:

相关推荐