![\"\"](\"https:\/\/www.yinyubo.com\/wp-content\/uploads\/2021\/12\/image-18-1024x535.png\")
<\/figure>\n\n\n\n\u6839\u636e\u4e0a\u9762\u7684\u56fe\uff0c\u6211\u4eec\u53ef\u4ee5\u770b\u5230\uff0c\u4e3b\u8981\u662f\u901a\u8fc7\u914d\u7f6eargocd-cm\u548cargocd-rbac-cm\u4e24\u4e2a\u914d\u7f6e\u6587\u4ef6\u6765\u751f\u6548\u7684<\/p>\n\n\n\n
\u4e0b\u9762\u6211\u4eec\u6765\u8be6\u7ec6\u8bb2\u8bb2\u914d\u7f6e\u6587\u4ef6\u5982\u4f55\u7f16\u5199\uff0c\u5173\u4e8egitea,ldap\u7684\u5b89\u88c5\u8fd9\u91cc\u5c31\u4e0d\u518d\u63cf\u8ff0\u4e86\uff0c\u7b80\u5355\u63d0\u4e00\u53e5argocd\u7684\u5b89\u88c5<\/p>\n\n\n\n
kubectl create namespace argocd\nkubectl apply -n argocd -f https:\/\/raw.githubusercontent.com\/argoproj\/argo-cd\/stable\/manifests\/install.yaml<\/code><\/pre>\n\n\n\n\u63a5\u5165LDAP\u7684\u914d\u7f6e<\/h2>\n\n\n\n
\u7f16\u5199\u4e00\u4e2aldap-patch-dex.yaml<\/p>\n\n\n\n
\u6ce8\u610f<\/em>\uff1a\u8fd9\u91cc\u6709\u4e00\u4e2a\u5751\u7239\u7684\u5730\u65b9\uff0cDN\u5c45\u7136\u8981\u5927\u5199\u624d\u80fd\u4f7f\u7528\uff0c\u5b98\u7f51\u6587\u6863\u6ca1\u6709\u8bf4\u8981\u5927\u5199<\/p>\n\n\n\napiVersion: v1\ndata:\n dex.config: |\n connectors:\n - type: ldap\n name: \u7edf\u4e00\u8d26\u6237\u4e2d\u5fc3\n id: ldap\n config:\n # Ldap server address\n host: ${LDAP\u5730\u5740}:${LDAP\u7aef\u53e3}\n insecureNoSSL: true\n insecureSkipVerify: true\n # Variable name stores ldap bindDN in argocd-secret\n bindDN: \"$dex.ldap.bindDN\"\n # Variable name stores ldap bind password in argocd-secret\n bindPW: \"$dex.ldap.bindPW\"\n usernamePrompt: \u7528\u6237\u540d\n # Ldap user serch attributes\n userSearch:\n baseDN: \"ou=XXXX,dc=XXX,dc=com\"\n filter: \"(objectClass=person)\"\n username: uid\n idAttr: uid\n emailAttr: mail\n nameAttr: cn\n # Ldap group serch attributes\n groupSearch:\n baseDN: \"dc=XXX,dc=com\"\n filter: \"(objectClass=groupOfUniqueNames)\"\n userAttr: DN\n groupAttr: uniqueMember\n nameAttr: cn<\/code><\/pre>\n\n\n\nkubectl -n argocd patch configmaps argocd-cm --patch \"$(cat ldap-patch-dex.yaml)\"\n\n<\/code><\/pre>\n\n\n\n\u4e0a\u9762\u7684 bindPW \u548c bindDN \u6211\u4eec\u653e\u4e00\u4e2a\u53ea\u8bfb\u6743\u9650\u7684\u8d26\u6237\u5230secret\u91cc\uff0c\u8bbe\u7f6e\u65b9\u6cd5\u5982\u4e0b<\/p>\n\n\n\n
kubectl -n argocd patch secrets argocd-secret --patch \"{\\\"data\\\":{\\\"dex.ldap.bindPW\\\":\\\"$(echo my-password | base64 -w 0)\\\"}}\"\n\nkubectl -n argocd patch secrets argocd-secret --patch \"{\\\"data\\\":{\\\"dex.ldap.bindDN\\\":\\\"$(echo CN=ldapuser,OU=Service Accounts,OU=Resource,DC=mydomain,DC=local | base64 -w 0)\\\"}}\"<\/code><\/pre>\n\n\n\n\u8bbe\u7f6egrooup\u6743\u9650\uff08\u53ea\u6709ldap\u80fd\u5206\u7ec4\uff0cgitea\u63a5\u5165\u4e0d\u80fd\u83b7\u53d6\u5206\u7ec4\uff09<\/h2>\n\n\n\n
\u7f16\u8f91argocd-rbac-cm \u6587\u4ef6\uff0c\u8fd9\u91cc\u4e3e\u4f8b\u8bbe\u7f6e “administrators “\u7ec4\u4e3a\u7ba1\u7406\u5458<\/p>\n\n\n\n
kubectl edit configmaps -n argocd argocd-rbac-cm<\/p>\n\n\n\n
apiVersion: v1\ndata:\n policy.csv: |\n g, administrators, role:admin\n policy.default: role:readonly<\/code><\/pre>\n\n\n\n\u7f16\u8f91\u5b8c\u6210\u4e4b\u540e\uff0c\u9700\u8981\u91cd\u542fargocd\u548cdex<\/p>\n\n\n\n
kubectl delete pod -n argocd argocd-dex-server-7857b96dbb-s596m<\/code><\/pre>\n\n\n\nkubectl delete pod -n argocd argocd-server-559f498454-fl5d2<\/code><\/pre>\n\n\n\n\u6548\u679c\u6f14\u793a<\/h2>\n\n\n\n![\"\"](\"https:\/\/www.yinyubo.com\/wp-content\/uploads\/2021\/12\/image-19.png\")
<\/figure>\n\n\n\n
\n\n\n\n![\"\"](\"https:\/\/www.yinyubo.com\/wp-content\/uploads\/2021\/12\/image-20.png\")
<\/figure>\n\n\n\n
\n\n\n\n![\"\"](\"https:\/\/www.yinyubo.com\/wp-content\/uploads\/2021\/12\/image-24.png\")
<\/figure>\n\n\n\n\u4e0d\u63a8\u8350\u4f7f\u7528\uff08\u63a5\u5165gitea oauth2\u8ba4\u8bc1\uff09<\/h2>\n\n\n\n
\u8fd9\u4e2a \u63a5\u5165gitea oauth2 \u8ba4\u8bc1\u6211\u4e0d\u63a8\u8350\uff0c\u56e0\u4e3a\u6ca1\u6709\u529e\u6cd5\u8bbe\u7f6e\u201c\u7ec4\u201d\uff0c\u6240\u6709\u7528\u6237\u901a\u8fc7\u8fd9\u79cd\u65b9\u5f0f\u767b\u5f55\u8fdb\u6765\u7684\u90fd\u662f policy.default \u5bf9\u5e94\u7684\u6743\u9650\uff0c\u4e5f\u8bb8\u4ee5\u540e\u4f1a\u6709\uff0c\u4f46\u662f\u7b14\u8005\u5199\u8fd9\u7bc7\u6587\u7ae0\u7684\u65f6\u5019\u662f\u6ca1\u6709\u529e\u6cd5\u83b7\u53d6\u201c\u7ec4\u201d\u7684\u3002<\/p>\n\n\n\n
1\uff0c\u5728gitea\u91cc\u8f93\u5165\u91cd\u5b9a\u5411URI\u521b\u5efaoauth2\u8ba4\u8bc1\uff0c\u83b7\u5f97clientID\u548cclientSecret\u3002<\/p>\n\n\n\n
\u6ce8\u610f\uff1aargocd\u7684\u91cd\u5b9a\u5411\u5730\u5740\u662f\u56fa\u5b9a\u540e\u7f00\/api\/dex\/callback<\/em><\/p>\n\n\n\n![\"\"](\"https:\/\/www.yinyubo.com\/wp-content\/uploads\/2021\/12\/image-22-1024x443.png\")
<\/figure>\n\n\n\n2.\u521b\u5efa\u4e00\u4e2agitea-patch-dex.yaml \u5185\u5bb9\u5982\u4e0b<\/p>\n\n\n\n
apiVersion: v1\ndata:\n accounts.drone: apiKey,login\n dex.config: |-\n connectors:\n - type: gitea\n name: Gitea\n id: gitea\n config:\n baseURL: https:\/\/gitea\u57df\u540d\n redirectURI: https:\/\/argocd\u57df\u540d\/api\/dex\/callback\n clientID: \u4e0a\u4e00\u6b65\u83b7\u53d6\u7684clientID\n clientSecret: \u4e0a\u4e00\u6b65\u83b7\u53d6\u7684clientSecret<\/code><\/pre>\n\n\n\n3.\u751f\u6548\u914d\u7f6e\u6587\u4ef6\uff0c\u91cd\u542fdex<\/p>\n\n\n\n
kubectl -n argocd patch configmaps argocd-cm --patch \"$(cat ldap-patch-dex.yaml)\"\n\nkubectl delete pod -n argocd argocd-dex-server-7857b96dbb-s596m\n\n\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"\u80cc\u666f argocd\u9ed8\u8ba4\u662f\u901a\u8fc7\u4fee\u6539argocd-cm\u6765\u6dfb\u52a0\u8d26\u6237\u7684\uff0c\u6dfb\u52a0\u5b8c\u8d26\u6237\u540e\uff0c\u8fd8\u9700\u8981\u4f7f\u7528argocd\u5ba2\u6237\u7aef\u547d\u4ee4 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-1090","post","type-post","status-publish","format-standard","hentry","category-k8s"],"_links":{"self":[{"href":"https:\/\/www.yinyubo.com\/index.php?rest_route=\/wp\/v2\/posts\/1090","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.yinyubo.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.yinyubo.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.yinyubo.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.yinyubo.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1090"}],"version-history":[{"count":5,"href":"https:\/\/www.yinyubo.com\/index.php?rest_route=\/wp\/v2\/posts\/1090\/revisions"}],"predecessor-version":[{"id":1102,"href":"https:\/\/www.yinyubo.com\/index.php?rest_route=\/wp\/v2\/posts\/1090\/revisions\/1102"}],"wp:attachment":[{"href":"https:\/\/www.yinyubo.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1090"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.yinyubo.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1090"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.yinyubo.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1090"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}