Goal

As an admin, I wish to configure "login with OpenShift" with support for authorization using group memberships.

Acceptance Criteria

• As an Argo CD admin, I should be able to enable authentication/authorization ( ie, with support for groups ) using OpenShift by updating the Argo CD manifest/resource as shown here https://github.com/argoproj-labs/argocd-operator/blob/master/examples/argocd-oauth.yaml
• As an Argo CD admin/user, I should be able login to Argo CD with my OpenShift user credentials incl kubeadmin.
• The above should work in air-gapped clusters & OSD/ROSA
• See "Implementation notes" for technical requirements.

What is dex

https://argoproj.github.io/argo-cd/operator-manual/user-management/#dex

Support implications

• Customers will ONLY receive support for Argo CD + OpenShift Login with dex.
• Customers will NOT receive support for any other configuration of dex. We will evaluate if any other dex connector needs to be supported in future.
• The RH-built dex image on registry.redhat.io would be a component of OpenShift GitOps. Any usage of the same outside the context of OpenShift GitOps will not be supported by Red Hat.
• Red Hat's supported SSO product continues to be RH-SSO(Keycloak). The team will continue to work on ensuring RH-SSO works with OpenShift GitOps / Argo CD.

Implementation notes:

• Use dex for powering this capability - in alignment with the upstream deployment stack.
• DISABLE_DEX is set to false.
• The deployed dex container uses an RH built Dex image available on registry.redhat.io .

[1] https://github.com/argoproj-labs/argocd-operator/blob/master/examples/argocd-oauth.yaml