# Securing Argo
Argo (opens new window) is an open-source container-native workflow engine for orchestrating parallel jobs on Kubernetes. This guide covers how to add authentication and authorization to Argo using Pomerium.
# Install Argo
To install Argo in Kubernetes you can either follow the instructions here (opens new window), or use Helm (opens new window). This guide will use the Helm chart.
Run the following commands:
helm repo add argo https://argoproj.github.io/argo-helm helm repo update helm install \ --namespace kube-system \ --set minio.install=true \ --set installCRD=false \ argo argo/argo kubectly apply \ --namespace kube-system \ --file https://raw.githubusercontent.com/argoproj/argo/master/manifests/base/crds/workflow-crd.yamlCopied!
You should now have a working Argo installation using Minio (opens new window) to store artifacts. Both Argo and Minio provide web-based GUIs. Confirm that Minio is working by running:
kubectl --namespace kube-system port-forward svc/argo-minio 9000:9000Copied!
You should now be able to reach the Minio UI by accessing http://localhost:9000/minio (opens new window). If you're curious the Access Key and Secret Key are generated by the Helm chart and stored in a Kubernetes secret:
kubectl --namespace=kube-system get secret argo-minio -o yamlCopied!
For now though, let's terminate the Minio kubectl port-forward and create one for the Argo UI:
kubectl --namespace kube-system port-forward svc/argo-server 2746:2746Copied!
Visiting http://localhost:2746 (opens new window) should take you to the Argo Workflows dashboard.
# Install NGINX Ingress Controller
We will use NGINX (opens new window) as our ingress controller. To install it with Helm run the following commands:
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx helm repo update helm install --namespace kube-system ingress-nginx ingress-nginx/ingress-nginxCopied!
# Install Pomerium
Like with Argo we will install Pomerium using the Helm chart (opens new window). First create a values.yaml file (replacing the email.is and IDP provider/clientID/clientSecret with your own):
config: routes: - from: https://argo.localhost.pomerium.io to: http://argo-server.kube-system.svc.cluster.local:2746 policy: - allow: or: - email: is: user@example.com authenticate: idp: provider: google clientID: REPLACE_ME clientSecret: REPLACE_ME ingress: annotations: nginx.ingress.kubernetes.io/backend-protocol: httpsCopied!
Run the following commands (replacing the IDP provider/clientID/clientSecret with your own):
helm repo add pomerium https://helm.pomerium.io helm repo update helm install \ --set config.sharedSecret="$(head -c32 /dev/urandom | base64)" \ --set config.cookieSecret="$(head -c32 /dev/urandom | base64)" \ --values values.yaml \ pomerium pomerium/pomeriumCopied!
You should now be able to reach argo by using kubectl port-forward with the NGINX ingress controller (binding :443 may require using sudo with kubectl):
kubectl --namespace kube-system port-forward svc/ingress-nginx-controller 443:443Copied!
And visit: https://argo.localhost.pomerium.io/ (opens new window).