Add dex doc

svghadi · svghadi · commit 648539fc31bd · 2023-12-06T10:49:16.000+05:30
Signed-off-by: Siddhesh Ghadi &lt;sghadi1203@gmail.com&gt;
diff --git a/docs/OpenShift GitOps Usage Guide.md b/docs/OpenShift GitOps Usage Guide.md
@@ -2,9 +2,9 @@
 
 ## Table of Contents
 1. [Installing OpenShift GitOps](#installing-openshift-gitops)  
-2. [Configure SSO for OpenShift GitOps](#configure-sso-for-openshift-gitops)  
-    a. [RHSSO / Keycloak](#rhssokeycloak)  
-    b. [Dex](#dex)
+2. [Configure SSO for OpenShift GitOps](#configure-sso-for-openshift-gitops)   
+    a. [Dex](#dex)  
+    b. [RHSSO / Keycloak](#rhssokeycloak)  
 4. [Setting environment variables](#setting-environment-variables)    
 6. [Getting started with GitOps Application Manager (kam)](#getting-started-with-gitops-application-manager-kam)  
 7. [Setting up a new ArgoCD instance](#setting-up-a-new-argo-cd-instance)  
@@ -143,98 +143,20 @@ Now, you can create an Argo CD application and let Argo CD keep application reso
 
 GitOps Operator supports Dex & RHSSO for providing single sign-on authentication and user management. 
 
-### RHSSO/Keycloak
-
-GitOps comes with a bundled keycloak instance which is configured for authenticating with Argo CD component of Openshift GitOps. The main purpose of this instance created by the operator is to allow users to login into Argo CD with their OpenShift users.
-
-Refer [RHSSO config guidance](./rhsso_config_guidance.md) for installation & configuration steps.
+The configurations are controlled via `.spec.sso` fields in ArgoCD CR. 
 
 ### Dex
 
-**NOTE:** As of v1.3.0, Dex is automatically configured. You can log into the default Argo CD instance in the openshift-gitops namespace using the OpenShift or kubeadmin credentials. As an admin you can disable the Dex installation after the Operator is installed which will remove the Dex deployment from the openshift-gitops namespace.
-
-**NOTE:** `DISABLE_DEX` environment variable & `.spec.dex` fields are no longer supported in OpenShift GitOps v1.10 onwards. Dex can be enabled/disabled by setting `.spec.sso.provider: dex` as follows
-
-```
-spec:
-  sso:
-    provider: dex
-    dex:
-      openShiftOAuth: true
-```
-
-`oc patch argocd argocd --type='merge' --patch='{ "spec": { "sso": { "provider": "dex", "dex": {"openShiftOAuth": true}}}}`
-
-**NOTE:** Dex resource creation will not be triggered, unless there is valid Dex configuration expressed through `.spec.sso.dex`. This could either be using the default openShift configuration
-
-```
-spec:
-  provider: dex
-  sso:
-    dex:
-      openShiftOAuth: true
-```
-
-`oc patch argocd/openshift-gitops -n openshift-gitops --type='merge' --patch='{ "spec": { "sso": { "provider": "dex", "dex": {"openShiftOAuth": true}}}}`
-
-or it could be custom Dex configuration provided by the user:
-
-```
-spec:
-  sso:
-    dex:
-      config: <custom-dex-config>
-```
-
-`oc patch argocd/openshift-gitops -n openshift-gitops --type='merge' --patch='{ "spec": { "sso": { "provider": "dex", "dex": {"config": <custom-dex-config>}}}}`
-
-**NOTE: Absence of either will result in an error due to failing health checks on Dex**
-
-#### Uninstalling Dex
-
-**NOTE:** `DISABLE_DEX` environment variable & `.spec.dex` fields are no longer supported in OpenShift GitOps v1.10 onwards. Please use `.spec.sso.provider` to enable/disable Dex.  
-
-Dex can be uninstalled either by removing `.spec.sso` from the Argo CD CR, or switching to a different SSO provider.  
-
-You can enable RBAC on Argo CD by following the instructions provided in the Argo CD [RBAC Configuration](https://argoproj.github.io/argo-cd/operator-manual/rbac/). Example RBAC configuration looks like this.
-
-```
-spec:
-  sso:
-    provider: dex
-    dex:
-      openShiftOAuth: true
-  rbac:
-    defaultPolicy: 'role:readonly'
-    policy: |
-      g, system:cluster-admins, role:admin
-      g, ocp-admins, role:admin
-    scopes: '[groups]'
-```
-
-
-`oc patch argocd/openshift-gitops -n openshift-gitops --type='merge' --patch='{ "spec": { "rbac": { "defaultPolicy": "role:readonly", "scopes": "[groups]", "policy": "g, system:cluster-admins, role:admin\ng, ocp-admins, role:admin" } } }'`
-
-
-#### Restricting dex / openShiftOAuth to only a set of groups
-
-As discussed here [https://cloud.redhat.com/blog/openshift-authentication-integration-with-argocd](https://cloud.redhat.com/blog/openshift-authentication-integration-with-argocd) you can restrict oauth access to certain groups. Currently it is not possible to restrict the Argo CD to only a set of groups, through `openShiftOAuth: true`, the RFE is tracked upstream [here](https://github.com/argoproj-labs/argocd-operator/issues/391). However, you can let the operator generate the oauth client and dex.config and then configure it manually and thus be able to extend it.
-
-Assuming you have done the above steps to enable `openShiftOAuth: true`: you can use the following commands to:
+Dex can be used to authenticate with Argo CD. Refer [Dex config guidance](./dex_config_guidance.md) for installation & configuration steps.
 
-1. fetch the current dex.config from the Config Map, extend it with the required groups (e.g. here cluster-admins)
+> **Note**  
+Dex is automatically configured for default Argo CD instance in the openshift-gitops namespace to allow users to use OpenShift OAuth to login into Argo CD. Refer [Uninstall](./dex_config_guidance.md#uninstall) section to disable dex on default Argo CD instance.
 
-2. disable the openShiftOAuth provisioning
-
-3. Put the extended config as manual dex.config
+### RHSSO/Keycloak
 
-This will disable any automatic (and further) full management of the dex / OpenShift integration.
+GitOps comes with a bundled keycloak instance which is configured for authenticating with Argo CD component of Openshift GitOps. The main purpose of this instance created by the operator is to allow users to login into Argo CD with their OpenShift users.
 
-```
-oidc_config=$(oc get cm -n openshift-gitops argocd-cm -o json | jq '.data["dex.config"]' | sed 's@/callback@/callback\\n	groups:\\n  	- cluster-admins@' | sed 's/"//g')
-oc patch argocd/openshift-gitops -n openshift-gitops --type='json' --patch='[{"op": "remove", "path": "/spec/sso/dex/openShiftOAuth" }]'
-oc patch argocd/openshift-gitops -n openshift-gitops --type='merge' --patch="{ \"spec\": { \"sso\": { \"dex\": { \"config\": \"${oidc_config}\" } } } }"
-```
+Refer [RHSSO config guidance](./rhsso_config_guidance.md) for installation & configuration steps.
 
 ## Setting environment variables
 
diff --git a/docs/dex_config_guidance.md b/docs/dex_config_guidance.md
@@ -0,0 +1,213 @@
+# Dex Config Guidance
+
+The scope of this document is to describe the steps to Install, Configure(Setup Login with OpenShift) and Uninstall the Dex with OpenShift GitOps Operator.
+
+## Table of Contents
+
+1. [Install](#install)
+2. [Login with OpenShift](#login-with-openshift)
+3. [Restrict login to only a set of Groups](#restrict-login-to-only-a-set-of-groups)
+4. [Argo CD RBAC Policies for Dex](#argo-cd-rbac-policies-for-dex)
+5. [Dex Resource requests/limits](#dex-resource-requestslimits)
+6. [Uninstall](#uninstall)
+
+## Install
+
+> **Note**  
+`DISABLE_DEX` environment variable & `.spec.dex` fields are no longer supported in OpenShift GitOps v1.10 onwards. Dex can be enabled/disabled by setting `.spec.sso.provider: dex` in ArgoCD CR.
+
+To enable dex, set `.spec.sso.provider` to `dex` & add dex configs under `.spec.sso.dex` fields in ArgoCD CR.  
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: ArgoCD
+metadata:
+  name: <argocd-instance-name> 
+spec:
+  sso:
+    provider: dex
+    dex:
+      openShiftOAuth: true
+```
+or 
+```bash
+oc -n <namespace> patch argocd <argocd-instance-name> --type='merge' --patch='{ "spec": { "sso": { "provider": "dex", "dex": {"openShiftOAuth": true}}}}
+```
+
+Operator has built-in support for OpenShift Dex connector and can be enabled by setting `.spec.sso.dex.openShiftOAuth` to `true`. This will automatically configure the dex to use OpenShift users to log in into Argo CD. Any additional connector configurations can be made using `.spec.sso.dex.config` field.
+
+> **Note**  
+There is known issue due to which default OpenShift connector configurations are overridden when `.spec.sso.dex.config` is set. Fix is tracked [here](https://issues.redhat.com/browse/GITOPS-3600).
+
+> **Important**  
+Dex resource creation will not be triggered, unless there is valid Dex configuration expressed through `.spec.sso.dex`. This could either be using the default OpenShift configuration via `.spec.sso.dex.openShiftOAuth` or it could be custom Dex configuration provided by the user via `.spec.sso.dex.config`. Absence of either will result in an error due to failing health checks on Dex.
+
+Addition configurations such as a different dex image, version, resource limits, etc can be provided. Refer [dex-options](https://argocd-operator.readthedocs.io/en/latest/reference/argocd/#dex-options) section in argocd-operator documentation for more details.
+
+## Login with OpenShift
+
+- Go to the `OpenShift Console -> Networking -> Routes`.
+
+- Select your Argo CD instance namespace under `Project` dropdown.
+
+- Click on the `<argocd-instance>-server` route url to access the Argo CD UI.
+
+- You will be redirected to Argo CD Login Page.
+
+- You can see an option to **LOG IN VIA OPENSHIFT** apart from the usual Argo CD login. Click on the button. (Please clear the site cache or use incognito window if facing issues).
+
+- You will be redirected to the OpenShift Login Page.
+
+- Provide the OpenShift login credentials to get redirected to Argo CD. 
+
+- Upon successful login in Argo CD, you can look at the user details by clicking on the User Info Tab in Argo CD UI.
+
+## Restrict login to only a set of Groups
+
+Dex allows the admin to restrict login to optional list of groups. Which means, only the users who are part of any of the these groups will be able to login into Argo CD.
+
+To enable it, use `.spec.sso.dex.groups` field in ArgoCD CR. 
+
+For example, below will give allow only users of `foo` & `bar` group to login into Argo CD via Dex.
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: ArgoCD
+metadata:
+  name: <argocd-instance-name>
+spec:
+  sso:
+    provider: dex
+    dex:
+      openShiftOAuth: true
+      groups:
+        - foo
+        - bar
+```
+
+## Argo CD RBAC Policies for Dex
+
+#### Default access
+
+For versions upto and not including v1.10, 
+
+- any user (except `kube:admin`) logged into Argo CD using Dex will be a **read-only** user by default.
+
+  `policy.default: role:readonly`
+
+For versions starting v1.10 and above,
+
+- any user (except `kube:admin`) logged into the default Argo CD instance `openshift-gitops` in namespace `openshift-gitops` will have **no access** by default.
+
+  `policy.default: ''`
+
+- any user logged into user managed custom Argo CD instance will have **read-only** access by default.
+
+  `policy.default: 'role:readonly'`
+
+This default behavior can be modified by updating the `.spec.rbac.defaultyPolicy` in ArgoCD CR.
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: ArgoCD
+metadata:
+  name: <argocd-instance-name>
+spec:
+  rbac:
+    defaultyPolicy: 'role:readonly'
+```
+
+A detailed information on basic role policies can be found [here](https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/#basic-built-in-roles).
+
+#### Group Level Access
+
+Dex reads the group information of OpenShift users. This allows admin to configure rbac at group level using group name. `.spec.rbac.policy` in ArgoCD CR can be used to add group level rbac policies. 
+
+For example, below will give admin level access to all the users from `foo-admins` OpenShift group.
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: ArgoCD
+metadata:
+  name: <argocd-instance-name>
+spec:
+  rbac:
+    policy.csv: |
+      g, foo-admins, role:admin
+```
+
+More information regarding Argo CD RBAC can be found [here](https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/).
+
+#### User Level Access
+
+Admin can control access at individual user level by adding rbac configurations under `.spec.rbac.policy` in ArgoCD CR.
+
+> **Important**  
+It is not recommended to use user level RBAC with OpenShift login as it poses security risk. Refer [this](https://github.com/argoproj/argo-cd/discussions/8160#discussioncomment-1975554) discussion for more details. 
+
+For example, below will give admin level access to a user with email `foo@example.com` & user with username `bar`
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: ArgoCD
+metadata:
+  name: <argocd-instance-name>
+spec:
+  rbac:
+    policy.csv: |
+      g, foo@example.com, role:admin
+      g, bar, role:admin
+    scopes: '[groups,name,email]'
+```
+
+More information regarding Argo CD RBAC can be found [here](https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/).
+
+## Dex Resource requests/limits
+
+Dex container by default gets created with following  resource requests and limits.
+
+|Resource|Requests|Limits
+|:-:|:-:|:-:|
+|CPU|250m|500m|
+|Memory|128 Mi|256 Mi|
+
+Admin can modify the Dex resource requests/limits by updating `.spec.sso.dex.resources` field in ArgoCD CR. 
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: ArgoCD
+metadata:
+  name: <argocd-instance-name>
+spec:
+  sso:
+    provider: dex
+    dex:
+      resources:
+        requests:
+          cpu: 512m
+          memory: 512Mi
+        limits:
+          cpu: 1024m
+          memory: 1024Mi
+```
+
+## Uninstall
+
+**NOTE:** `DISABLE_DEX` environment variable & `.spec.dex` fields are no longer supported in OpenShift GitOps v1.10 onwards. Please use `.spec.sso.provider` to enable/disable Dex.  
+
+Dex can be uninstalled either by removing `.spec.sso` from the Argo CD CR, or switching to a different SSO provider.  
+
+```bash
+oc -n <namespace> patch argocd <argocd-instance-name> --type json   -p='[{"op": "remove", "path": "/spec/sso"}]'
+```
+
+Or 
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: ArgoCD
+metadata:
+  name: <argocd-instance-name>
+spec:
+  sso: {}
+```
