In this article we will learn how to configure GitHub Single Sign-On (SSO) with ArgoCD. ArgoCD is a popular GitOps tool for continuous delivery, supports integration with third-party identity providers to enable Single Sign-On (SSO) functionality. This article provides a step-by-step guide to integrating GitHub as an SSO provider for ArgoCD. By enabling GitHub SSO, teams can streamline authentication, improve security, and simplify access management.
Table of Contents
Prerequisites
- AWS Account with Ubuntu 24.04 LTS EC2 Instance.
- Minikube and kubectl Installed.
- Basic knowledge of Kubernetes and Github.
Step #1:Set Up DNS for the Custom Domain
We already have a domain in GoDaddy so first got to GoDaddy.
Go to your account, here “DevOps” and select My Products.
You can see our domain devopshint.xyz below, go to DNS to add the records in it.
In your domain provider’s dashboard, create a DNS A record. Click on Add New Record.
- Type: A
- Name: @
- Value: Your EC2 instance’s public IP address. You must have Elastic IP associated with your EC2 instance.
- TTL: 1 Hour
Save it.
You can see our DNS record is added successfully.
Install NGINX & Certbot:
SSH into your EC2 instance and run:
sudo apt update
sudo apt install nginx certbot python3-certbot-nginx -yConfigure NGINX Reverse Proxy:
Create a new config file:
sudo nano /etc/nginx/sites-available/argocd
Paste this content:
server {
listen 80;
server_name <name of your server>;
location / {
proxy_pass https://localhost:8080;
proxy_ssl_verify off;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Enable the config:
sudo ln -s /etc/nginx/sites-available/argocd /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx
Issue SSL Certificate with Certbot:
Now, run:
sudo certbot --nginx -d <your server name>
Follow the prompts:
- Enter email
- Accept TOS
- Certbot will update your NGINX config to support HTTPS
Step #2:Configure GitHub OAuth App
Log in to your GitHub account. Navigate to Settings.
Then go to Developer settings.
Then go to OAuth Apps and click on New OAuth app.
fill in the following details:
- Application name:
ArgoCD - Homepage URL:
https://git.devopshint.xyz - Authorization callback URL:
https://git.devopshint.xyz/api/dex/callback
Then click in Register application to register it.
Note down the Client ID and Client secrets for later use.
Step #3:Deploy ArgoCD on Kubernetes
Create a new namespace called argocd in your Kubernetes cluster.
kubectl create namespace argocd
Install ArgoCD in the argocd namespace by applying the YAML file from the provided URL.
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
List all the resources in the argocd namespace. It provides an overview of the ArgoCD setup includes Pods, Services, Deployments, ReplicaSets, and more.
kubectl -n argocd get all
Edit the service configuration of argocd-server.
kubectl -n argocd edit service argocd-server
modify it shown below. Change the type field from ClusterIP to NodePort. ClusterIP exposes the service only within the cluster. NodePort makes the service accessible externally via a specific port on the nodes.
type: NodePort
Run the kubectl -n argocd get all again to see if service type changed to NodePort or not.
kubectl -n argocd get all
Step #3:Configure ArgoCD for GitHub SSO
Edit the ArgoCD ConfigMap to configure GitHub as the SSO provider.
kubectl -n argocd edit configmap argocd-cm
Modify it as shown below. Replace <YOUR_CLIENT_ID>, <YOUR_CLIENT_SECRET> with your actual values. And give the values of redirectURI, url.
apiVersion: v1
data:
dex.config: |
connectors:
- type: github
id: github
name: GitHub
config:
clientID: "<YOUR_CLIENT_ID>"
clientSecret: "<YOUR_CLIENT_SECRET>"
redirectURI: "https://git.devopshint.xyz/api/dex/callback"
url: https://git.devopshint.xyz
kind: ConfigMap
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"ConfigMap","metadata":{"annotations":{},"labels":{"app.kubernetes.io/name":"argocd-cm","app.kubernetes.io/part-of":"argocd"},"name":"argocd-cm","namespace":"argocd"}}
creationTimestamp: "2025-01-29T06:11:17Z"
labels:
app.kubernetes.io/name: argocd-cm
app.kubernetes.io/part-of: argocd
name: argocd-cm
namespace: argocd
resourceVersion: "20036"
uid: 65c1e9b3-9bf0-445e-9e6d-b43c7802f8d4
Restart the ArgoCD server to apply the changes.
kubectl -n argocd rollout restart deployment argocd-server
Step #5:Access ArgoCD with GitHub SSO
Run the kubectl port-forward command:
kubectl port-forward svc/argocd-server -n argocd 8080:443
Now open your web browser and run https://<your-domain-name> to go to the home page of ArgoCD.
You’ll see the “LOG IN VIA GITHUB” button on the login page. Now click the LOG IN VIA GITHUB button.
Click on Authorize.
You’ll be redirected to the ArgoCD dashboard.
You can view the SSL Certificate by clicking on lock icon beside the https and then connection is secure and then certificate icon:
Conclusion:
Integrating GitHub SSO with ArgoCD not only improves the security of your continuous delivery processes but also provides a convenient and centralized access mechanism for your team. This setup empowers DevOps teams to better manage authentication while aligning with modern security practices. By following these steps, you’ve successfully secured your ArgoCD environment using GitHub as a trusted identity provider.
Related Articles:
Configure Single Sign-On (SSO) for ArgoCD using OKTA
Reference:
