mirror of
https://github.com/pomerium/pomerium.git
synced 2025-05-02 03:46:29 +02:00
5332a752d0
* install VuePress Plugin Tabs https://www.npmjs.com/package/vuepress-plugin-tabs * init Enterprise documentation section * replace Vuepress tab plugin now using https://github.com/superbiger/vuepress-plugin-tabs * init Enterprise Quickstart * block of enterprise doc updates * Helm Quickstart Update (#2380) * removed/fixed redundant or incorrect config And some small copy edits * Update docs/docs/quick-start/helm.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * init console with helm doc * squash me * codeblock fix * init about page * updates to Enterprise section * consolidate on Postgres * WIP helm updates * update and align OS and Enterprise helm docs * Enterprise settings docs (#2397) * init console-specific reference docs files * remove shortdoc for name * init Enterprise Reference doc * expanding Enterprise Reference * init JS script for reference subpages When reviewing please remember that I'm not a developer, be kind * update script and apply * remove errant dep * document script and expand for CLI help output * import pomerium-console_serve.yaml In future iterations, this file should be sourced at build time as an artifact from the pomerium-console repo * init new output file * update script call and output * fix anchor links * BROKEN - import content from settings.yaml when dupe is true * filtering WiP * fix dupe script, more content * replace if dupe with if not docs * squash me * squash me! * add docs about PPL (#2404) * squash meeeeee * Update docs/enterprise/install/quickstart.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * symlink img dir from docs/reference * squash mee * update install reqs * Fixed links throughout * Update docs/enterprise/install/quickstart.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * Update docs/enterprise/install/quickstart.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * remove internal note * - format python with black - format js with prettier Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com> * optimize images with imageOptim Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com> * run prettier on config.js Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com> * concepts.md Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com> * update concepts Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com> * copy edits * typo * symlink img dir from docs/reference * modify TLS section in quick-start * rm whitespace * add common links postamble * block of updates * block of updates * updates with @travisgroth * turtles all the way down * more content * import all the things * fill out reports * fill out reports * fix file extension * fix links * crosslink PPL ref * document embedded prometheus * expand example * update reqs * document non-directory users * typo fix * update metrics_address * fix broken links in example configs * update examples for route syntax * replaced required with deprecated Note that I didn't link to the route reference because I'm unsure what link formats are accepted when this file is used elsewhere. The warning block below includes a link. * update enterprise/about * Update docs/enterprise/console-settings.yaml Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * Update docs/enterprise/console-settings.yaml Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * Update docs/enterprise/concepts.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * Update docs/enterprise/concepts.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * Update docs/enterprise/concepts.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * remove commented config lines * update non-domain user section in concepts * Update docs/enterprise/concepts.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * Update docs/enterprise/concepts.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * Update docs/enterprise/about.md Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> * Update docs/enterprise/concepts.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * Update docs/enterprise/concepts.md Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> * add console route to OSS conf * update enterprise settings copy from source file * Update docs/enterprise/concepts.md * Update reports reference * merge conflict resolution * update sourced doc content, fix whitespace Co-authored-by: Travis Groth <travisgroth@users.noreply.github.com> Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com> Co-authored-by: Bobby DeSimone <bobbydesimone@gmail.com> Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
109 lines
3.6 KiB
Markdown
109 lines
3.6 KiB
Markdown
---
|
|
title: Argo
|
|
lang: en-US
|
|
meta:
|
|
- name: keywords
|
|
content: pomerium identity-access-proxy argo argo-cd
|
|
description: >-
|
|
This guide covers how to add authentication and authorization to an instance
|
|
of argo.
|
|
---
|
|
|
|
# Securing Argo
|
|
|
|
[Argo](https://argoproj.github.io/projects/argo) is an open-source container-native workflow engine for orchestrating parallel jobs on Kubernetes. This guide covers how to add authentication and authorization to Argo using Pomerium.
|
|
|
|
## Install Argo
|
|
|
|
To install Argo in Kubernetes you can either follow the instructions [here](https://github.com/argoproj/argo/blob/master/docs/getting-started.md), or use [Helm](https://github.com/argoproj/argo-helm/tree/master/charts/argo). This guide will use the Helm chart.
|
|
|
|
Run the following commands:
|
|
|
|
```bash
|
|
helm repo add argo https://argoproj.github.io/argo-helm
|
|
helm repo update
|
|
helm install \
|
|
--namespace kube-system \
|
|
--set minio.install=true \
|
|
--set installCRD=false \
|
|
argo argo/argo
|
|
kubectly apply \
|
|
--namespace kube-system \
|
|
--file https://raw.githubusercontent.com/argoproj/argo/master/manifests/base/crds/workflow-crd.yaml
|
|
```
|
|
|
|
You should now have a working Argo installation using [Minio](https://min.io/) to store artifacts. Both Argo and Minio provide web-based GUIs. Confirm that Minio is working by running:
|
|
|
|
```bash
|
|
kubectl --namespace kube-system port-forward svc/argo-minio 9000:9000
|
|
```
|
|
|
|
You should now be able to reach the Minio UI by accessing <http://localhost:9000/minio>. If you're curious the Access Key and Secret Key are generated by the Helm chart and stored in a Kubernetes secret:
|
|
|
|
```bash
|
|
kubectl --namespace=kube-system get secret argo-minio -o yaml
|
|
```
|
|
|
|
For now though, let's terminate the Minio `kubectl port-forward` and create one for the Argo UI:
|
|
|
|
```bash
|
|
kubectl --namespace kube-system port-forward svc/argo-server 2746:2746
|
|
```
|
|
|
|
Visiting <http://localhost:2746> should take you to the Argo Workflows dashboard.
|
|
|
|
## Install NGINX Ingress Controller
|
|
|
|
We will use [NGINX](https://kubernetes.github.io/ingress-nginx/deploy/#using-helm) as our ingress controller. To install it with Helm run the following commands:
|
|
|
|
```bash
|
|
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
|
|
helm repo update
|
|
helm install --namespace kube-system ingress-nginx ingress-nginx/ingress-nginx
|
|
```
|
|
|
|
## Install Pomerium
|
|
|
|
Like with Argo we will install Pomerium using the [Helm chart](https://github.com/pomerium/pomerium-helm). First create a `values.yaml` file (replacing the `email.is` and IDP `provider`/`clientID`/`clientSecret` with your own):
|
|
|
|
```yaml
|
|
config:
|
|
routes:
|
|
- from: https://argo.localhost.pomerium.io
|
|
to: http://argo-server.kube-system.svc.cluster.local:2746
|
|
policy:
|
|
- allow:
|
|
or:
|
|
- email:
|
|
is: bdd@pomerium.io
|
|
|
|
authenticate:
|
|
idp:
|
|
provider: google
|
|
clientID: REPLACE_ME
|
|
clientSecret: REPLACE_ME
|
|
|
|
ingress:
|
|
annotations:
|
|
nginx.ingress.kubernetes.io/backend-protocol: https
|
|
```
|
|
|
|
Run the following commands (replacing the IDP `provider`/`clientID`/`clientSecret` with your own):
|
|
|
|
```bash
|
|
helm repo add pomerium https://helm.pomerium.io
|
|
helm repo update
|
|
helm install \
|
|
--set config.sharedSecret="$(head -c32 /dev/urandom | base64)" \
|
|
--set config.cookieSecret="$(head -c32 /dev/urandom | base64)" \
|
|
--values values.yaml \
|
|
pomerium pomerium/pomerium
|
|
```
|
|
|
|
You should now be able to reach argo by using `kubectl port-forward` with the NGINX ingress controller (binding :443 may require using sudo with kubectl):
|
|
|
|
```bash
|
|
kubectl --namespace kube-system port-forward svc/ingress-nginx-controller 443:443
|
|
```
|
|
|
|
And visit: <https://argo.localhost.pomerium.io/>.
|