# Securing Argo

Argo is an open-source container-native workflow engine for orchestrating parallel jobs on Kubernetes. This guide covers how to add authentication and authorization to Argo using Pomerium.

# Install Argo

To install Argo in Kubernetes you can either follow the instructions here, or use Helm. This guide will use the Helm chart.

Run the following commands:

helm repo add argo https://argoproj.github.io/argo-helm
helm repo update
helm install \
    --namespace kube-system \
    --set minio.install=true \
    --set installCRD=false \
    argo argo/argo
kubectly apply \
    --namespace kube-system \
    --file https://raw.githubusercontent.com/argoproj/argo/master/manifests/base/crds/workflow-crd.yaml

You should now have a working Argo installation using Minio to store artifacts. Both Argo and Minio provide web-based GUIs. Confirm that Minio is working by running:

kubectl --namespace kube-system port-forward svc/argo-minio 9000:9000

You should now be able to reach the Minio UI by accessing http://localhost:9000/minio. If you're curious the Access Key and Secret Key are generated by the Helm chart and stored in a Kubernetes secret:

kubectl --namespace=kube-system get secret argo-minio -o yaml

For now though, let's terminate the Minio kubectl port-forward and create one for the Argo UI:

kubectl --namespace kube-system port-forward svc/argo-server 2746:2746

Visiting http://localhost:2746 should take you to the Argo Workflows dashboard.

# Install NGINX Ingress Controller

We will use NGINX as our ingress controller. To install it with Helm run the following commands:

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm install --namespace kube-system ingress-nginx ingress-nginx/ingress-nginx

# Install Pomerium

Like with Argo we will install Pomerium using the Helm chart. First create a values.yaml file (replacing the allowed_users and IDP provider/clientID/clientSecret with your own):

config:
  rootDomain: localhost.pomerium.io
  policy:
    - from: https://argo.localhost.pomerium.io
      to: http://argo-server.kube-system.svc.cluster.local:2746
      allowed_users:
        - REPLACE_ME

authenticate:
  idp:
    provider: google
    clientID: REPLACE_ME
    clientSecret: REPLACE_ME

ingress:
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: https

Run the following commands (replacing the IDP provider/clientID/clientSecret with your own):

helm repo add pomerium https://helm.pomerium.io
helm repo update
helm install \
    --set config.sharedSecret="$(head -c32 /dev/urandom | base64)" \
    --set config.cookieSecret="$(head -c32 /dev/urandom | base64)" \
    --values values.yaml \
    pomerium pomerium/pomerium

You should now be able to reach argo by using kubectl port-forward with the NGINX ingress controller (binding :443 may require using sudo with kubectl):

kubectl --namespace kube-system port-forward svc/ingress-nginx-controller 443:443

And visit: https://argo.localhost.pomerium.io/.

← AdGuard Cloud Run →