Argo auth with Google Cloud Identity Access Proxy (IAP)

[hadim]

I have been able to set up access to Argo on a GKE cluster with a Google Cloud Identity Access Proxy. Currently, the argo server runs in auth client mode. It looks like the IAP proxy is transparent for argo in that case.

I am confused about how to make argo "aware" of the upstream IAP proxy and use the SSO argo feature.

Did anyone has already configured an argo cluster with Google IAP?

Currently running on Argo 2.10.2 and planning to upgrade to 2.12 once it's released.

[hadim]

Also probably related to argoproj/argo-cd#2224

[alexec]

We do not run GCP, so we don't know. Maybe ask in the Slack channel?

[hadim]

Will do thanks. I'll also let this open so others might jump.

[alexec]

We have several files where we have

	// load the azure plugin (required to authenticate against AKS clusters).
	_ "k8s.io/client-go/plugin/pkg/client/auth/azure"
	// load the gcp plugin (required to authenticate against GKE clusters).
	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
	// load the oidc plugin (required to authenticate with OpenID Connect).
	_ "k8s.io/client-go/plugin/pkg/client/auth/oidc"

And this should be

_ "k8s.io/client-go/plugin/pkg/client/auth"

Might help fix this.

[simster7]

Fix for this is out on https://github.com/argoproj/argo/releases/tag/v2.12.3

[hadim]

Thanks. I am a bit confused about what "all supported authentication plugins" exactly means. Does it specifically support GCP IAP? I am asking because GCP IAP is a proxy that performs the auth before the request reaches Argo. Argo only receives an auth request with some specific headers I guess.

[dpkirchner]

@hadim I believe that fix was for authenticating with Kubernetes' API server, not for front-end UI users. As far as I can tell, Argo does not support IAP.

Edited to add: "does not", don't know how I missed that crucial bit.

[max-sixty]

We run argo successfully with IAP (it's great!), here are our manifests:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: argo-server-ingress
  annotations:
    # Unclear whether this is needed, from
    # https://argoproj.github.io/argo/argo-server/#access-the-argo-workflows-ui
    ingress.kubernetes.io/rewrite-target: /$2
    # https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs
    kubernetes.io/ingress.global-static-ip-name: argo-address
    networking.gke.io/managed-certificates: argo-certificate
spec:
  backend:
    serviceName: argo-server
    # https://stackoverflow.com/questions/51572249/why-does-google-cloud-show-an-error-when-using-clusterip
    servicePort: web

---
apiVersion: v1
kind: Service
metadata:
  name: argo-server
  annotations:
    beta.cloud.google.com/backend-config: '{"default": "config-default"}'
spec:
  type: NodePort

---
# https://cloud.google.com/iap/docs/enabling-kubernetes-howto
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: config-default
spec:
  iap:
    enabled: true
    oauthclientCredentials:
      secretName: {...}

---
# Kustomize patch, for v3, where IAP runs the https load balancer
patchesStrategicMerge:
  # For running Argo behind IAP: https://github.com/argoproj/argo-workflows/issues/5582
  - |-
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: argo-server
    spec:
      template:
        spec:
          containers:
            - name: argo-server
              args:
                - server
                - "--secure=false"
              readinessProbe:
                httpGet:
                  scheme: HTTP

This is mostly cobbled together, so lmk any better approaches

[dpkirchner]

@max-sixty yeah -- I should have been more clear. While you can run Argo behind IAP it cannot not (as far as I can tell) integrate with Argo's authentication systems, so you still have to log in after logging in to Google. I could definitely be wrong but I've spent a lot of time and dug through the code all to no avail.

[max-sixty]

Ah, yes @dpkirchner , that makes sense.

[cydergoth]

Posted this on the related comment but it may also be useful here:

I have this working using Dex AuthProxy but it's a bit of a hack. The problem I have yet to solve is how to use a GCP Service Account identity to call the ArgoCD API, either via the IAP exposed endpoint or directly backend-to-backend from StackStorm to ArgoCD API in the same cluster

    dex.config: |
        connectors:
          - type: authproxy
            id: iap_proxy
            name: "Google IAP Proxy"
            config:
              userHeader: "X-Goog-Authenticated-User-Email"
    extraArgs: # Disable HTTPS as the LBA terminates it
      - --insecure
      - --rootpath=/argocd

[jl178]

I was able to get GCP IAP to integrate with ArgoCD without the extra login hop. Once a user logs in with their Google credentials, it redirects them to the application homepage. However, this solution disables the dex server & and RBAC configs. If you need either, this isn't the solution.

Here is my example helm values.yaml:

dex:
  enabled: false
server:
  extraArgs:
    - '--insecure'
  service:
    annotations:
      beta.cloud.google.com/backend-config: '{"default": "iap-config"}'
configs:
  params:
    server.disable.auth: true
  rbac:
    create: false

Also note, this was configured with the official ArgoCD Helm chart version number 5.16.13.