Google SSO and ArgoCD Localhost

TL; DR: I needed to enable Google SSO for ArgoCD at localhost because I planned to upgrade Istio using ArgoCD however the process will make ArgoCD unavailable as the ingress gateway ArgoCD depends on will be replaced

I was doing an Istio upgrade for yet another GKE cluster but this time it’s a bit special because it’s the same cluster where ArgoCD resides in. If I simply go ahead and let ArgoCD do the upgrade, I’d lost access to ArgoCD half way during the process since the old ingress gateway will be deleted by ArgoCD – in my case, the upgrade is from an old istio-operator to a new sail-operator so in-place upgrade is a bit too hard or just impossible.

So the insurance policy is to get ArgoCD accessible at http://localhost:8080 through a kubectl port-forward. The port forward part is a no-brainer however since Google SSO was configured for the ArgoCD, it has to be enabled for localhost login too. Here’s how I did it.

Following ArgoCD’s official guide to Google SSO, add localhost:8080 as an authorised domain:

It can also be http instead of https if the ArgoCD is configured that way, ie. if TLS is terminated at Istio.

The next step is to do the same for ArgoCD:

# k edit cm argocd-cm
apiVersion: v1
data:
  accounts.argocd-api: apiKey
  admin.enabled: "false"
  dex.config: |-
    "connectors":
    - "config":
        ...
        "redirectURI": "https://localhost:8080/api/dex/callback"
      "id": "google"
      "name": "Google"
      "type": "google"
  ...
  url: "https://localhost:8080"

The the argocd-server will have to be restarted and that’s all I had to do to use ArgoCD with Google SSO at localhost 🙂

August 18, 2025

admin

Systems Admin

ArgoCD, Google Cloud