Argo CD

This guide walks you through connecting Argo CD to Nauthera so that users can sign in with their Nauthera account and have Argo CD roles assigned automatically based on group membership.

What you will set up

OIDC sign-in for Argo CD via Nauthera
Group-based RBAC (e.g. argocd-admins can sync any app, dev-team can only view)
Optional: restrict access to specific groups

Prerequisites

A running Nauthera instance with a reachable issuer URL (e.g. https://auth.example.com)
Argo CD 2.6+ deployed in the cluster
A ClusterAuthPolicy or AuthPolicy that includes the groups scope

Step 1 — Create the OidcClient

apiVersion: auth.nauthera.io/v1alpha1
kind: OidcClient
metadata:
  name: argocd
  namespace: argocd
spec:
  displayName: Argo CD
  redirectUris:
    - "https://argocd.example.com/auth/callback"
  allowedScopes:
    - openid
    - profile
    - email
    - groups
  grantTypes:
    - authorization_code
    - refresh_token

kubectl apply -f argocd-oidc-client.yaml

Retrieve the generated credentials:

CLIENT_ID=$(kubectl get secret argocd-credentials -n argocd -o jsonpath='{.data.client_id}' | base64 -d)
CLIENT_SECRET=$(kubectl get secret argocd-credentials -n argocd -o jsonpath='{.data.client_secret}' | base64 -d)

Step 2 — Enable the groups scope

Ensure your policy includes the groups scope and claim mapping:

apiVersion: auth.nauthera.io/v1alpha1
kind: ClusterAuthPolicy
metadata:
  name: default
spec:
  scopes:
    - openid
    - profile
    - email
    - groups
  claimMappings:
    - claim: groups
      attribute: groups

Step 3 — Configure Argo CD

argocd-cm ConfigMap

Add the OIDC configuration to the argocd-cm ConfigMap:

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
data:
  url: "https://argocd.example.com"
  oidc.config: |
    name: Nauthera
    issuer: https://auth.example.com
    clientID: $oidc.nauthera.clientID
    clientSecret: $oidc.nauthera.clientSecret
    requestedScopes:
      - openid
      - profile
      - email
      - groups

argocd-secret Secret

Store the client credentials in the argocd-secret:

apiVersion: v1
kind: Secret
metadata:
  name: argocd-secret
  namespace: argocd
type: Opaque
stringData:
  oidc.nauthera.clientID: "<your-client-id>"
  oidc.nauthera.clientSecret: "<your-client-secret>"

Or patch it with the values from Step 1:

kubectl -n argocd patch secret argocd-secret --type merge -p \
  "{\"stringData\":{\"oidc.nauthera.clientID\":\"$CLIENT_ID\",\"oidc.nauthera.clientSecret\":\"$CLIENT_SECRET\"}}"

argocd-rbac-cm ConfigMap

Map Nauthera groups to Argo CD roles:

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-rbac-cm
  namespace: argocd
data:
  policy.default: role:readonly
  policy.csv: |
    # Argo CD admins — full access
    g, argocd-admins, role:admin
 
    # Dev team — can sync and view apps in the dev project
    p, role:dev-team, applications, get, dev/*, allow
    p, role:dev-team, applications, sync, dev/*, allow
    g, dev-team, role:dev-team
 
    # Viewers — read-only (default for everyone else)
  scopes: "[groups]"

The scopes field tells Argo CD which JWT claim to use for group membership. Setting it to [groups] matches the Nauthera groups claim.

Step 4 — Verify

Navigate to your Argo CD instance and click Log in via Nauthera.
Authenticate at the Nauthera login page.
After redirect, verify your user info shows the correct groups.
Test RBAC: a user in argocd-admins should be able to create and sync applications, while others get read-only access.

Helm values (argo-cd chart)

If you deploy Argo CD via the argo-cd Helm chart:

# values.yaml
configs:
  cm:
    url: "https://argocd.example.com"
    oidc.config: |
      name: Nauthera
      issuer: https://auth.example.com
      clientID: $oidc.nauthera.clientID
      clientSecret: $oidc.nauthera.clientSecret
      requestedScopes:
        - openid
        - profile
        - email
        - groups
 
  rbac:
    policy.default: role:readonly
    policy.csv: |
      g, argocd-admins, role:admin
      p, role:dev-team, applications, get, dev/*, allow
      p, role:dev-team, applications, sync, dev/*, allow
      g, dev-team, role:dev-team
    scopes: "[groups]"
 
  secret:
    extra:
      oidc.nauthera.clientID: "<your-client-id>"
      oidc.nauthera.clientSecret: "<your-client-secret>"

Restricting access

Add requiredGroups to the OidcClient to limit who can sign in:

spec:
  requiredGroups:
    - argocd-admins
    - dev-team

Troubleshooting

Symptom	Cause	Fix
Login button missing	OIDC config not loaded	Restart `argocd-server` after editing `argocd-cm`
"Failed to authenticate"	Client secret mismatch	Verify `argocd-secret` matches Nauthera credentials
Groups not appearing	`scopes` not set in RBAC config	Add `scopes: "[groups]"` to `argocd-rbac-cm`
Redirect URI error	Callback URL mismatch	Ensure `redirectUris` includes `/auth/callback`
Always read-only	Group names don't match RBAC policy	Check exact group names with `kubectl get secret argocd-credentials`

OidcClient — Full CRD reference
AuthPolicy — Scope and claim mapping configuration
User Management — Creating users and groups

PreviousGrafana NextHarbor

Argo CD

This guide walks you through connecting Argo CD to Nauthera so that users can sign in with their Nauthera account and have Argo CD roles assigned automatically based on group membership.

What you will set up

OIDC sign-in for Argo CD via Nauthera
Group-based RBAC (e.g. argocd-admins can sync any app, dev-team can only view)
Optional: restrict access to specific groups

Prerequisites

A running Nauthera instance with a reachable issuer URL (e.g. https://auth.example.com)
Argo CD 2.6+ deployed in the cluster
A ClusterAuthPolicy or AuthPolicy that includes the groups scope

Step 1 — Create the OidcClient

apiVersion: auth.nauthera.io/v1alpha1
kind: OidcClient
metadata:
  name: argocd
  namespace: argocd
spec:
  displayName: Argo CD
  redirectUris:
    - "https://argocd.example.com/auth/callback"
  allowedScopes:
    - openid
    - profile
    - email
    - groups
  grantTypes:
    - authorization_code
    - refresh_token

kubectl apply -f argocd-oidc-client.yaml

Retrieve the generated credentials:

CLIENT_ID=$(kubectl get secret argocd-credentials -n argocd -o jsonpath='{.data.client_id}' | base64 -d)
CLIENT_SECRET=$(kubectl get secret argocd-credentials -n argocd -o jsonpath='{.data.client_secret}' | base64 -d)

Step 2 — Enable the groups scope

Ensure your policy includes the groups scope and claim mapping:

apiVersion: auth.nauthera.io/v1alpha1
kind: ClusterAuthPolicy
metadata:
  name: default
spec:
  scopes:
    - openid
    - profile
    - email
    - groups
  claimMappings:
    - claim: groups
      attribute: groups

Step 3 — Configure Argo CD

argocd-cm ConfigMap

Add the OIDC configuration to the argocd-cm ConfigMap:

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
data:
  url: "https://argocd.example.com"
  oidc.config: |
    name: Nauthera
    issuer: https://auth.example.com
    clientID: $oidc.nauthera.clientID
    clientSecret: $oidc.nauthera.clientSecret
    requestedScopes:
      - openid
      - profile
      - email
      - groups

argocd-secret Secret

Store the client credentials in the argocd-secret:

apiVersion: v1
kind: Secret
metadata:
  name: argocd-secret
  namespace: argocd
type: Opaque
stringData:
  oidc.nauthera.clientID: "<your-client-id>"
  oidc.nauthera.clientSecret: "<your-client-secret>"

Or patch it with the values from Step 1:

kubectl -n argocd patch secret argocd-secret --type merge -p \
  "{\"stringData\":{\"oidc.nauthera.clientID\":\"$CLIENT_ID\",\"oidc.nauthera.clientSecret\":\"$CLIENT_SECRET\"}}"

argocd-rbac-cm ConfigMap

Map Nauthera groups to Argo CD roles:

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-rbac-cm
  namespace: argocd
data:
  policy.default: role:readonly
  policy.csv: |
    # Argo CD admins — full access
    g, argocd-admins, role:admin
 
    # Dev team — can sync and view apps in the dev project
    p, role:dev-team, applications, get, dev/*, allow
    p, role:dev-team, applications, sync, dev/*, allow
    g, dev-team, role:dev-team
 
    # Viewers — read-only (default for everyone else)
  scopes: "[groups]"

The scopes field tells Argo CD which JWT claim to use for group membership. Setting it to [groups] matches the Nauthera groups claim.

Step 4 — Verify

Navigate to your Argo CD instance and click Log in via Nauthera.
Authenticate at the Nauthera login page.
After redirect, verify your user info shows the correct groups.
Test RBAC: a user in argocd-admins should be able to create and sync applications, while others get read-only access.

Helm values (argo-cd chart)

If you deploy Argo CD via the argo-cd Helm chart:

# values.yaml
configs:
  cm:
    url: "https://argocd.example.com"
    oidc.config: |
      name: Nauthera
      issuer: https://auth.example.com
      clientID: $oidc.nauthera.clientID
      clientSecret: $oidc.nauthera.clientSecret
      requestedScopes:
        - openid
        - profile
        - email
        - groups
 
  rbac:
    policy.default: role:readonly
    policy.csv: |
      g, argocd-admins, role:admin
      p, role:dev-team, applications, get, dev/*, allow
      p, role:dev-team, applications, sync, dev/*, allow
      g, dev-team, role:dev-team
    scopes: "[groups]"
 
  secret:
    extra:
      oidc.nauthera.clientID: "<your-client-id>"
      oidc.nauthera.clientSecret: "<your-client-secret>"

Restricting access

Add requiredGroups to the OidcClient to limit who can sign in:

spec:
  requiredGroups:
    - argocd-admins
    - dev-team

Troubleshooting

Symptom	Cause	Fix
Login button missing	OIDC config not loaded	Restart `argocd-server` after editing `argocd-cm`
"Failed to authenticate"	Client secret mismatch	Verify `argocd-secret` matches Nauthera credentials
Groups not appearing	`scopes` not set in RBAC config	Add `scopes: "[groups]"` to `argocd-rbac-cm`
Redirect URI error	Callback URL mismatch	Ensure `redirectUris` includes `/auth/callback`
Always read-only	Group names don't match RBAC policy	Check exact group names with `kubectl get secret argocd-credentials`

OidcClient — Full CRD reference
AuthPolicy — Scope and claim mapping configuration
User Management — Creating users and groups

PreviousGrafana NextHarbor

Argo CD

#What you will set up

#Prerequisites

#Step 1 — Create the OidcClient

#Step 2 — Enable the groups scope

#Step 3 — Configure Argo CD

#argocd-cm ConfigMap

#argocd-secret Secret

#argocd-rbac-cm ConfigMap

#Step 4 — Verify

#Helm values (argo-cd chart)

#Restricting access

#Troubleshooting

#Related

Argo CD

#What you will set up

#Prerequisites

#Step 1 — Create the OidcClient

#Step 2 — Enable the groups scope

#Step 3 — Configure Argo CD

#argocd-cm ConfigMap

#argocd-secret Secret

#argocd-rbac-cm ConfigMap

#Step 4 — Verify

#Helm values (argo-cd chart)

#Restricting access

#Troubleshooting

#Related

What you will set up

Prerequisites

Step 1 — Create the OidcClient

Step 2 — Enable the groups scope

Step 3 — Configure Argo CD

argocd-cm ConfigMap

argocd-secret Secret

argocd-rbac-cm ConfigMap

Step 4 — Verify

Helm values (argo-cd chart)

Restricting access

Troubleshooting

Related

What you will set up

Prerequisites

Step 1 — Create the OidcClient

Step 2 — Enable the groups scope

Step 3 — Configure Argo CD

argocd-cm ConfigMap

argocd-secret Secret

argocd-rbac-cm ConfigMap

Step 4 — Verify

Helm values (argo-cd chart)

Restricting access

Troubleshooting

Related