mirror of
https://github.com/pomerium/pomerium.git
synced 2025-08-04 01:09:36 +02:00
docs: add argo recipe (#803)
This commit is contained in:
Caleb Doxsey
GitHub
parent
c1e648e0a9
commit
49c323ae73
2 changed files with 107 additions and 0 deletions
106
docs/recipes/argo.md
Normal file
106
docs/recipes/argo.md
Normal file
|
|
@ -0,0 +1,106 @@
|
|||
---
|
||||
title: Argo
|
||||
lang: en-US
|
||||
meta:
|
||||
- name: keywords
|
||||
content: pomerium identity-access-proxy argo argo-cd
|
||||
description: >-
|
||||
This guide covers how to add authentication and authorization to an instance of argo.
|
||||
---
|
||||
|
||||
# Securing Argo
|
||||
[Argo](https://argoproj.github.io/projects/argo) is an open-source container-native workflow engine for orchestrating parallel jobs on Kubernetes. This guide covers how to add authentication and authorization to Argo using Pomerium.
|
||||
|
||||
## Install Argo
|
||||
To install Argo in Kubernetes you can either follow the instructions [here](https://github.com/argoproj/argo/blob/master/docs/getting-started.md), or use [Helm](https://github.com/argoproj/argo-helm/tree/master/charts/argo). This guide will use the Helm chart.
|
||||
|
||||
Run the following commands:
|
||||
|
||||
```bash
|
||||
helm repo add argo https://argoproj.github.io/argo-helm
|
||||
helm repo update
|
||||
helm install \
|
||||
--namespace kube-system \
|
||||
--set minio.install=true \
|
||||
--set installCRD=false \
|
||||
argo argo/argo
|
||||
kubectly apply \
|
||||
--namespace kube-system \
|
||||
--file https://raw.githubusercontent.com/argoproj/argo/master/manifests/base/crds/workflow-crd.yaml
|
||||
```
|
||||
|
||||
You should now have a working Argo installation using [Minio](https://min.io/) to store artifacts. Both Argo and Minio
|
||||
provide web-based GUIs. Confirm that Minio is working by running:
|
||||
|
||||
```bash
|
||||
kubectl --namespace kube-system port-forward svc/argo-minio 9000:9000
|
||||
```
|
||||
|
||||
You should now be able to reach the Minio UI by accessing [http://localhost:9000/minio](http://localhost:9000/minio).
|
||||
If you're curious the Access Key and Secret Key are generated by the Helm chart and stored in a Kubernetes secret:
|
||||
|
||||
```bash
|
||||
kubectl --namespace=kube-system get secret argo-minio -o yaml
|
||||
```
|
||||
|
||||
For now though, let's terminate the Minio `kubectl port-forward` and create one for the Argo UI:
|
||||
|
||||
```bash
|
||||
kubectl --namespace kube-system port-forward svc/argo-server 2746:2746
|
||||
```
|
||||
|
||||
Visiting [http://localhost:2746](http://localhost:2746) should take you to the Argo Workflows dashboard.
|
||||
|
||||
## Install NGINX Ingress Controller
|
||||
We will use [NGINX](https://kubernetes.github.io/ingress-nginx/deploy/#using-helm) as our ingress controller.
|
||||
To install it with Helm run the following commands:
|
||||
|
||||
```bash
|
||||
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
|
||||
helm repo update
|
||||
helm install --namespace kube-system ingress-nginx ingress-nginx/ingress-nginx
|
||||
```
|
||||
|
||||
## Install Pomerium
|
||||
Like with Argo we will install Pomerium using the [Helm chart](https://github.com/pomerium/pomerium-helm). First create
|
||||
a `values.yaml` file (replacing the `allowed_users` and IDP `provider`/`clientID`/`clientSecret` with your own):
|
||||
|
||||
```yaml
|
||||
config:
|
||||
rootDomain: localhost.pomerium.io
|
||||
policy:
|
||||
- from: https://argo.localhost.pomerium.io
|
||||
to: http://argo-server.kube-system.svc.cluster.local:2746
|
||||
allowed_users:
|
||||
- REPLACE_ME
|
||||
|
||||
authenticate:
|
||||
idp:
|
||||
provider: google
|
||||
clientID: REPLACE_ME
|
||||
clientSecret: REPLACE_ME
|
||||
|
||||
ingress:
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/backend-protocol: https
|
||||
```
|
||||
|
||||
Run the following commands (replacing the IDP `provider`/`clientID`/`clientSecret` with your own):
|
||||
|
||||
```bash
|
||||
helm repo add pomerium https://helm.pomerium.io
|
||||
helm repo update
|
||||
helm install \
|
||||
--set config.sharedSecret="$(head -c32 /dev/urandom | base64)" \
|
||||
--set config.cookieSecret="$(head -c32 /dev/urandom | base64)" \
|
||||
--values values.yaml \
|
||||
pomerium pomerium/pomerium
|
||||
```
|
||||
|
||||
You should now be able to reach argo by using `kubectl port-forward` with the NGINX ingress controller (binding :443 may require using sudo with kubectl):
|
||||
|
||||
```bash
|
||||
kubectl --namespace kube-system port-forward svc/ingress-nginx-controller 443:443
|
||||
```
|
||||
|
||||
And visit: [https://argo.localhost.pomerium.io/](https://argo.localhost.pomerium.io/).
|
||||
|
|
@ -5,3 +5,4 @@ This section contains applications, and scenario specific guides for Pomerium.
|
|||
- The [ad-guard](./ad-guard.md) recipe demonstrates how pomerium can be used to augment web applications that only support simplistic authorization mechanisms like basic-auth with single-sign-on driven access policy.
|
||||
- The [kubernetes](./kubernetes.md) guide covers how to add authentication and authorization to kubernetes dashboard using helm, and letsencrypt certificates. This guide also shows how third party reverse-proxies like nginx/traefik can be used in conjunction with pomerium using forward-auth.
|
||||
- The [visual studio code](./vs-code-server.md) guide demonstrates how pomerium can be used to add access control to third-party applications that don't ship with [fine-grained access control](https://github.com/cdr/code-server/issues/905).
|
||||
- The [argo](./argo.md) guide demonstrates how pomerium can be used to add access control to [Argo](https://argoproj.github.io/projects/argo).
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue