Argo with nested keycloak groups

[luylucas10]

Motivation

I'm using Keycloak to control user access in the ArgoCD UI/applications. We have structured our groups like this:

• /Manager/Sector/Project-App/Environment

I want to use this structure to allow or deny user access to applications.

Difficult

ArgoCD seems to use only the last level of the group that comes with the token, in this case, the environment.

Attempts

I tried the following:

• In project roles, I used this:
  • "{{ upper $projectData.ManagerName }}/{{ upper $projectData.sectorName }}/{{ upper $projectData.projectName }}-{{ upper $app }}/{{ upper $env }}" (I have all this information in values.yaml)
• In Keycloak, I have groups nested like this: ManagerName > sectorName > projectName-appName > environment
• I used full_group_path in the mapper.

In the user information section in the ArgoCD UI, I can see my groups as /ManagerName/sectorName/projectName-appName/environment. However, even with the group set in the project, I can't see any applications.

But when I simplify the structure like this:

• ManagerName > sectorName > projectName-appName-environment
• Remove full_path from Keycloak and use the following:
  • "{{ upper $projectData.projectName }}-{{ upper $app }}-{{ upper $env }}"

I can see the applications, and in the user information, I see the projectName-appName-environment group.

Conclusion

ArgoCD does not support mapping nested groups for use.

Question

Did I something wrong in this configuration? Or ArgoCD just doesn't support this yet and we have (or not) a plan to support this feature?

Cluster Bootstrap Model (working with projectName-appName-environment example, simplified)

Project Model

{{- $appProjectsMap := dict }}
{{- range $application := .Values.argocd.appOfApps.applications }}
  {{- $projectKey := printf "%s-%s-%s" $application.managerName $application.coordinationName $application.project | trunc 63 }}
  {{- if not (hasKey $appProjectsMap $projectKey) }}
    {{- $_ := set $appProjectsMap $projectKey (dict "managerName" $application.managerName "coordinationName" $application.coordinationName "projectName" $application.project "environments" (list) "apps" (list)) }}
  {{- end }}
  {{- $_ := set $appProjectsMap $projectKey (merge (get $appProjectsMap $projectKey) (dict "environments" (uniq (append (get (get $appProjectsMap $projectKey) "environments") $application.environment)) "apps" (append (get (get $appProjectsMap $projectKey) "apps") $application.name))) }}
{{- end }}

{{- range $projectKey, $projectData := $appProjectsMap }}
---
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: {{ $projectKey }}
  namespace: argocd
spec:
  sourceRepos:
    - '*'
  destinations:
    - namespace: {{ $projectData.coordinationName }}-{{ $projectData.projectName }}
      server: '*'
  clusterResourceWhitelist:
    - group: '*'
      kind: '*'
  roles:
    {{- range $app := $projectData.apps }}
      {{- range $env := $projectData.environments }}
    - name: {{ printf "%s-%s" $app $env }}
      groups:
        - "{{ upper $projectData.projectName }}-{{ upper $app }}-{{ upper $env }}"
      policies:
        - p, proj:{{$projectKey}}:{{ printf "%s-%s" $app $env }}, applications, get, *, allow
        - p, proj:{{$projectKey}}:{{ printf "%s-%s" $app $env }}, applications, sync, *, allow
      {{- end }}
    {{- end }}
{{- end }}

Application Model:

{{- range $application := .Values.argocd.appOfApps.applications }}
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: {{ printf "%s-%s-%s" $application.project $application.name $application.environment | trunc 63 | trimSuffix "-" }}
  namespace: argocd
  labels: {}
  annotations:
    field.cattle.io/projectId: "{{ $application.coordinationName }}-{{ $application.project }}:{{ $application.rancherProjectId }}"
spec:
  destination:
    name: {{ $application.cluster }}
    namespace: {{ $application.coordinationName }}-{{ $application.project }}
  project: {{ printf "%s-%s-%s" $application.managerName $application.coordinationName $application.project | trunc 63 }}
  revisionHistoryLimit: 10
  source:
    repoURL: {{ $application.gitops }}
    targetRevision: HEAD
    path: '.'
    helm:
      valueFiles:
        - {{ $application.environment }}.yaml
  syncPolicy:
    managedNamespaceMetadata:
      labels: {}
      annotations:
        field.cattle.io/projectId: "{{ $application.coordinationName }}-{{ $application.project }}:{{ $application.rancherProjectId }}"
    automated:
      prune: true
      selfHeal: true
    syncOptions:
    - CreateNamespace=true
    - ServerSideApply=true
---
{{- end }}

Values

argocd:
  appOfApps:
    appProjects:
      - name: projectName
        managerName: manager
        coordinationName: sector
        customerName: customerName
        projectName: projectName
        appName: applicationName
        environmentName: dev
      
    applications:
      - name: applicationName
        project: projectName
        environment: dev
        cluster: dev
        gitops: https://git.ops/repository.git
        managerName: manager
        coordinationName: sector
        customerName: customr
        rancherProjectId: rancher-project-id
      

p.s.: I'll simplify some attributes