3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-29 18:36:30 +02:00
Code Issues Projects Releases Packages Wiki Activity
pomerium/docs/guides/argo.md

3.6 KiB
Raw Blame History

title lang meta description
Argo en-US
name content
keywords pomerium identity-access-proxy argo argo-cd
This guide covers how to add authentication and authorization to an instance of argo.

Securing Argo

Argo is an open-source container-native workflow engine for orchestrating parallel jobs on Kubernetes. This guide covers how to add authentication and authorization to Argo using Pomerium.

Install Argo

To install Argo in Kubernetes you can either follow the instructions here, or use Helm. This guide will use the Helm chart.

Run the following commands:

helm repo add argo https://argoproj.github.io/argo-helm
helm repo update
helm install \
    --namespace kube-system \
    --set minio.install=true \
    --set installCRD=false \
    argo argo/argo
kubectly apply \
    --namespace kube-system \
    --file https://raw.githubusercontent.com/argoproj/argo/master/manifests/base/crds/workflow-crd.yaml

You should now have a working Argo installation using Minio to store artifacts. Both Argo and Minio provide web-based GUIs. Confirm that Minio is working by running:

kubectl --namespace kube-system port-forward svc/argo-minio 9000:9000

You should now be able to reach the Minio UI by accessing http://localhost:9000/minio. If you're curious the Access Key and Secret Key are generated by the Helm chart and stored in a Kubernetes secret:

kubectl --namespace=kube-system get secret argo-minio -o yaml

For now though, let's terminate the Minio kubectl port-forward and create one for the Argo UI:

kubectl --namespace kube-system port-forward svc/argo-server 2746:2746

Visiting http://localhost:2746 should take you to the Argo Workflows dashboard.

Install NGINX Ingress Controller

We will use NGINX as our ingress controller. To install it with Helm run the following commands:

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm install --namespace kube-system ingress-nginx ingress-nginx/ingress-nginx

Install Pomerium

Like with Argo we will install Pomerium using the Helm chart. First create a values.yaml file (replacing the allowed_users and IDP provider/clientID/clientSecret with your own):

config:
  rootDomain: localhost.pomerium.io
  policy:
    - from: https://argo.localhost.pomerium.io
      to: http://argo-server.kube-system.svc.cluster.local:2746
      allowed_users:
        - REPLACE_ME

authenticate:
  idp:
    provider: google
    clientID: REPLACE_ME
    clientSecret: REPLACE_ME

ingress:
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: https

Run the following commands (replacing the IDP provider/clientID/clientSecret with your own):

helm repo add pomerium https://helm.pomerium.io
helm repo update
helm install \
    --set config.sharedSecret="$(head -c32 /dev/urandom | base64)" \
    --set config.cookieSecret="$(head -c32 /dev/urandom | base64)" \
    --values values.yaml \
    pomerium pomerium/pomerium

You should now be able to reach argo by using kubectl port-forward with the NGINX ingress controller (binding :443 may require using sudo with kubectl):

kubectl --namespace kube-system port-forward svc/ingress-nginx-controller 443:443

And visit: https://argo.localhost.pomerium.io/.