--- title: Argo lang: en-US meta: - name: keywords content: pomerium identity-access-proxy argo argo-cd description: >- This guide covers how to add authentication and authorization to an instance of argo. --- # Securing Argo [Argo](https://argoproj.github.io/projects/argo) is an open-source container-native workflow engine for orchestrating parallel jobs on Kubernetes. This guide covers how to add authentication and authorization to Argo using Pomerium. ## Install Argo To install Argo in Kubernetes you can either follow the instructions [here](https://github.com/argoproj/argo/blob/master/docs/getting-started.md), or use [Helm](https://github.com/argoproj/argo-helm/tree/master/charts/argo). This guide will use the Helm chart. Run the following commands: ```bash helm repo add argo https://argoproj.github.io/argo-helm helm repo update helm install \ --namespace kube-system \ --set minio.install=true \ --set installCRD=false \ argo argo/argo kubectly apply \ --namespace kube-system \ --file https://raw.githubusercontent.com/argoproj/argo/master/manifests/base/crds/workflow-crd.yaml ``` You should now have a working Argo installation using [Minio](https://min.io/) to store artifacts. Both Argo and Minio provide web-based GUIs. Confirm that Minio is working by running: ```bash kubectl --namespace kube-system port-forward svc/argo-minio 9000:9000 ``` You should now be able to reach the Minio UI by accessing . If you're curious the Access Key and Secret Key are generated by the Helm chart and stored in a Kubernetes secret: ```bash kubectl --namespace=kube-system get secret argo-minio -o yaml ``` For now though, let's terminate the Minio `kubectl port-forward` and create one for the Argo UI: ```bash kubectl --namespace kube-system port-forward svc/argo-server 2746:2746 ``` Visiting should take you to the Argo Workflows dashboard. ## Install NGINX Ingress Controller We will use [NGINX](https://kubernetes.github.io/ingress-nginx/deploy/#using-helm) as our ingress controller. To install it with Helm run the following commands: ```bash helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo update helm install --namespace kube-system ingress-nginx ingress-nginx/ingress-nginx ``` ## Install Pomerium Like with Argo we will install Pomerium using the [Helm chart](https://github.com/pomerium/pomerium-helm). First create a `values.yaml` file (replacing the `allowed_users` and IDP `provider`/`clientID`/`clientSecret` with your own): ```yaml config: rootDomain: localhost.pomerium.io policy: - from: https://argo.localhost.pomerium.io to: http://argo-server.kube-system.svc.cluster.local:2746 allowed_users: - REPLACE_ME authenticate: idp: provider: google clientID: REPLACE_ME clientSecret: REPLACE_ME ingress: annotations: nginx.ingress.kubernetes.io/backend-protocol: https ``` Run the following commands (replacing the IDP `provider`/`clientID`/`clientSecret` with your own): ```bash helm repo add pomerium https://helm.pomerium.io helm repo update helm install \ --set config.sharedSecret="$(head -c32 /dev/urandom | base64)" \ --set config.cookieSecret="$(head -c32 /dev/urandom | base64)" \ --values values.yaml \ pomerium pomerium/pomerium ``` You should now be able to reach argo by using `kubectl port-forward` with the NGINX ingress controller (binding :443 may require using sudo with kubectl): ```bash kubectl --namespace kube-system port-forward svc/ingress-nginx-controller 443:443 ``` And visit: .