Ativando SSO para ArgoCD

Visão geral

O script uipathctl.sh é necessário para habilitar a autenticação SSO. Para obter mais detalhes sobre o script e os parâmetros que você precisa usar, consulte .

Preparing the configuration files

Você deve gerar o arquivo do RBAC e o arquivo de configuração do Dex antes de habilitar o SSO para o ArgoCD.

The RBAC file

O arquivo RBAC contém regras de acesso. Para obter detalhes sobre as definições de função integradas, consulte a documentação do ArgoCD. Para obter detalhes sobre os tipos de conta do ArgoCD e suas permissões, consulte Gerenciamento do cluster no ArgoCD. Recomendamos usar essas funções ao definir seus grupos, mas você pode criar seu próprio conjunto de permissões.

Configuring the RBAC file

Create a file named policy.csv by running the following command:
```
uipathctl config argocd generate-rbacuipathctl config argocd generate-rbac
```

Add the following content to the policy.csv file and save it:

p, role:uipath-sync, applications, get, */*, allow
p, role:uipath-sync, applications, sync, */*, allow
g, argocdro, role:uipath-syncp, role:uipath-sync, applications, get, */*, allow
p, role:uipath-sync, applications, sync, */*, allow
g, argocdro, role:uipath-sync

Associe seus grupos de RBAC à função de administrador integrada e à função somente leitura do argocdro da UiPath®, anexando as seguintes linhas ao arquivo RBAC policy.csv:

g, <your_ldap_readonly_group_name>, role:uipath-sync
g, <your_ldap_admin_group_name>, role:adming, <your_ldap_readonly_group_name>, role:uipath-sync
g, <your_ldap_admin_group_name>, role:admin

Salve o arquivo RBAC policy.csv atualizado.

Exemplo:

Digamos que seu grupo LDAP para administradores do ArgoCD seja "Administradores" e o grupo LDAP para usuários somente leitura do ArgoCD seja "Leitores", o arquivo RBAC deve ser:

p, role:uipath-sync, applications, get, */*, allow
p, role:uipath-sync, applications, sync, */*, allow
g, argocdro, role:uipath-sync
g, Readers, role:uipath-sync
g, Administrators, role:adminp, role:uipath-sync, applications, get, */*, allow
p, role:uipath-sync, applications, sync, */*, allow
g, argocdro, role:uipath-sync
g, Readers, role:uipath-sync
g, Administrators, role:admin

Para casos de uso mais avançados, consulte o arquivo RBAC padrão.

# Built-in policy which defines two roles: role:readonly and role:admin,
# and additionally assigns the admin user to the role:admin role.
# There are two policy formats:
# 1. Applications, logs, and exec (which belong to a project):
# p, <user/group>, <resource>, <action>, <project>/<object>
# 2. All other resources:
# p, <user/group>, <resource>, <action>, <object>

p, role:readonly, applications, get, */*, allow
p, role:readonly, certificates, get, *, allow
p, role:readonly, clusters, get, *, allow
p, role:readonly, repositories, get, *, allow
p, role:readonly, projects, get, *, allow
p, role:readonly, accounts, get, *, allow
p, role:readonly, gpgkeys, get, *, allow
p, role:readonly, logs, get, */*, allow

p, role:admin, applications, create, */*, allow
p, role:admin, applications, update, */*, allow
p, role:admin, applications, delete, */*, allow
p, role:admin, applications, sync, */*, allow
p, role:admin, applications, override, */*, allow
p, role:admin, applications, action/*, */*, allow
p, role:admin, applicationsets, get, */*, allow
p, role:admin, applicationsets, create, */*, allow
p, role:admin, applicationsets, update, */*, allow
p, role:admin, applicationsets, delete, */*, allow
p, role:admin, certificates, create, *, allow
p, role:admin, certificates, update, *, allow
p, role:admin, certificates, delete, *, allow
p, role:admin, clusters, create, *, allow
p, role:admin, clusters, update, *, allow
p, role:admin, clusters, delete, *, allow
p, role:admin, repositories, create, *, allow
p, role:admin, repositories, update, *, allow
p, role:admin, repositories, delete, *, allow
p, role:admin, projects, create, *, allow
p, role:admin, projects, update, *, allow
p, role:admin, projects, delete, *, allow
p, role:admin, accounts, update, *, allow
p, role:admin, gpgkeys, create, *, allow
p, role:admin, gpgkeys, delete, *, allow
p, role:admin, exec, create, */*, allow

g, role:admin, role:readonly
g, admin, role:admin# Built-in policy which defines two roles: role:readonly and role:admin,
# and additionally assigns the admin user to the role:admin role.
# There are two policy formats:
# 1. Applications, logs, and exec (which belong to a project):
# p, <user/group>, <resource>, <action>, <project>/<object>
# 2. All other resources:
# p, <user/group>, <resource>, <action>, <object>

p, role:readonly, applications, get, */*, allow
p, role:readonly, certificates, get, *, allow
p, role:readonly, clusters, get, *, allow
p, role:readonly, repositories, get, *, allow
p, role:readonly, projects, get, *, allow
p, role:readonly, accounts, get, *, allow
p, role:readonly, gpgkeys, get, *, allow
p, role:readonly, logs, get, */*, allow

p, role:admin, applications, create, */*, allow
p, role:admin, applications, update, */*, allow
p, role:admin, applications, delete, */*, allow
p, role:admin, applications, sync, */*, allow
p, role:admin, applications, override, */*, allow
p, role:admin, applications, action/*, */*, allow
p, role:admin, applicationsets, get, */*, allow
p, role:admin, applicationsets, create, */*, allow
p, role:admin, applicationsets, update, */*, allow
p, role:admin, applicationsets, delete, */*, allow
p, role:admin, certificates, create, *, allow
p, role:admin, certificates, update, *, allow
p, role:admin, certificates, delete, *, allow
p, role:admin, clusters, create, *, allow
p, role:admin, clusters, update, *, allow
p, role:admin, clusters, delete, *, allow
p, role:admin, repositories, create, *, allow
p, role:admin, repositories, update, *, allow
p, role:admin, repositories, delete, *, allow
p, role:admin, projects, create, *, allow
p, role:admin, projects, update, *, allow
p, role:admin, projects, delete, *, allow
p, role:admin, accounts, update, *, allow
p, role:admin, gpgkeys, create, *, allow
p, role:admin, gpgkeys, delete, *, allow
p, role:admin, exec, create, */*, allow

g, role:admin, role:readonly
g, admin, role:admin

O arquivo de configuração do Dex

O arquivo de configuração do Dex contém os parâmetros necessários para configurar o SSO para o ArgoCD.

Observação: se você já tiver um arquivo de conector LDAP (ldap_connector.yaml), pule para Habilitar o SSO para o ArgoCD.

Para configurar o SSO por meio do LDAP, execute as seguintes etapas:

Gere o arquivo de modelo LDAP executando o seguinte comando. O arquivo de modelo do conector é gerado no mesmo diretório em que você executa o comando.
```
uipathctl config argocd generate-dex-config -t ldapuipathctl config argocd generate-dex-config -t ldap
```

Copie a saída que começa em --- e salve-a como ldap_connector.yaml.

Exemplo de um arquivo de configuração do ArgoCD:

---
connectors:
  - type: ldap
    # Required field for connector id.
    id: ldap
    # Required field for connector name.
    name: OpenLDAP
    config:
      host: openldap:389
      insecureNoSSL: true
      startTLS: false
      bindDN: cn=admin,dc=example,dc=org
      bindPW: adminpassword
      usernamePrompt: Email Address
      userSearch:
        baseDN: ou=People,dc=example,dc=org
        filter: "(objectClass=person)"
        username: mail
        idAttr: DN
        emailAttr: mail
        nameAttr: cn
      # Group search queries for groups given a user entry.
      groupSearch:
        baseDN: ou=Groups,dc=example,dc=org
        filter: "(objectClass=groupOfNames)"
        userMatchers:
          - userAttr: DN
            groupAttr: member
        nameAttr: cn---
connectors:
  - type: ldap
    # Required field for connector id.
    id: ldap
    # Required field for connector name.
    name: OpenLDAP
    config:
      host: openldap:389
      insecureNoSSL: true
      startTLS: false
      bindDN: cn=admin,dc=example,dc=org
      bindPW: adminpassword
      usernamePrompt: Email Address
      userSearch:
        baseDN: ou=People,dc=example,dc=org
        filter: "(objectClass=person)"
        username: mail
        idAttr: DN
        emailAttr: mail
        nameAttr: cn
      # Group search queries for groups given a user entry.
      groupSearch:
        baseDN: ou=Groups,dc=example,dc=org
        filter: "(objectClass=groupOfNames)"
        userMatchers:
          - userAttr: DN
            groupAttr: member
        nameAttr: cn

Exemplo de um arquivo de conector LDAP do Active Directory:

---
connectors:
- id: ldap
  name: ActiveDirectory
  type: ldap
  config:
    bindDN: cn=admin,cn=Users,dc=example,dc=local
    bindPW: "<admins's password>"
    groupSearch:
      baseDN: dc=example,dc=local
      filter: "(objectClass=group)"
      nameAttr: cn
      userMatchers:
        - userAttr: distinguishedName
          groupAttr: member
    host: "ldaphost:389"
    insecureNoSSL: true
    insecureSkipVerify: true
    startTLS: false
    userSearch:
      baseDN: cn=Users,dc=example,dc=local
      emailAttr: userPrincipalName
      filter: (objectClass=person)
      idAttr: DN
      nameAttr: cn
      username: userPrincipalName
    usernamePrompt: Email Address---
connectors:
- id: ldap
  name: ActiveDirectory
  type: ldap
  config:
    bindDN: cn=admin,cn=Users,dc=example,dc=local
    bindPW: "<admins's password>"
    groupSearch:
      baseDN: dc=example,dc=local
      filter: "(objectClass=group)"
      nameAttr: cn
      userMatchers:
        - userAttr: distinguishedName
          groupAttr: member
    host: "ldaphost:389"
    insecureNoSSL: true
    insecureSkipVerify: true
    startTLS: false
    userSearch:
      baseDN: cn=Users,dc=example,dc=local
      emailAttr: userPrincipalName
      filter: (objectClass=person)
      idAttr: DN
      nameAttr: cn
      username: userPrincipalName
    usernamePrompt: Email Address

Atualize o arquivo do conector LDAP com as informações necessárias e salve-o. Recomendamos o uso de LDAPS.

Ativando SSO para ArgoCD

Depois de preparar o RBAC e o arquivo de configuração do Dex, você pode habilitar o SSO para o ArgoCD:

Atualize o arquivo cluster_config.json com os seguintes parâmetros:
1. fabric.argocd_dex_config_file - digite o caminho para o arquivo de configuração do Dex criado anteriormente.
2. fabric.argocd_rbac_config_file - digite o caminho para o arquivo do RBAC criado anteriormente.

Execute novamente o instalador de malha:

./install-uipath.sh -i cluster_config.json -f -o output.json --accept-license-agreement./install-uipath.sh -i cluster_config.json -f -o output.json --accept-license-agreement