New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Argo auth with Google Cloud Identity Access Proxy (IAP) #4531
Comments
Also probably related to argoproj/argo-cd#2224 |
We do not run GCP, so we don't know. Maybe ask in the Slack channel? |
Will do thanks. I'll also let this open so others might jump. |
We have several files where we have // load the azure plugin (required to authenticate against AKS clusters).
_ "k8s.io/client-go/plugin/pkg/client/auth/azure"
// load the gcp plugin (required to authenticate against GKE clusters).
_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
// load the oidc plugin (required to authenticate with OpenID Connect).
_ "k8s.io/client-go/plugin/pkg/client/auth/oidc" And this should be _ "k8s.io/client-go/plugin/pkg/client/auth" Might help fix this. |
Fix for this is out on https://github.com/argoproj/argo/releases/tag/v2.12.3 |
Thanks. I am a bit confused about what "all supported authentication plugins" exactly means. Does it specifically support GCP IAP? I am asking because GCP IAP is a proxy that performs the auth before the request reaches Argo. Argo only receives an auth request with some specific headers I guess. |
@hadim I believe that fix was for authenticating with Kubernetes' API server, not for front-end UI users. As far as I can tell, Argo does not support IAP. Edited to add: "does not", don't know how I missed that crucial bit. |
We run argo successfully with IAP (it's great!), here are our manifests: apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: argo-server-ingress
annotations:
# Unclear whether this is needed, from
# https://argoproj.github.io/argo/argo-server/#access-the-argo-workflows-ui
ingress.kubernetes.io/rewrite-target: /$2
# https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs
kubernetes.io/ingress.global-static-ip-name: argo-address
networking.gke.io/managed-certificates: argo-certificate
spec:
backend:
serviceName: argo-server
# https://stackoverflow.com/questions/51572249/why-does-google-cloud-show-an-error-when-using-clusterip
servicePort: web
---
apiVersion: v1
kind: Service
metadata:
name: argo-server
annotations:
beta.cloud.google.com/backend-config: '{"default": "config-default"}'
spec:
type: NodePort
---
# https://cloud.google.com/iap/docs/enabling-kubernetes-howto
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
name: config-default
spec:
iap:
enabled: true
oauthclientCredentials:
secretName: {...}
---
# Kustomize patch, for v3, where IAP runs the https load balancer
patchesStrategicMerge:
# For running Argo behind IAP: https://github.com/argoproj/argo-workflows/issues/5582
- |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: argo-server
spec:
template:
spec:
containers:
- name: argo-server
args:
- server
- "--secure=false"
readinessProbe:
httpGet:
scheme: HTTP This is mostly cobbled together, so lmk any better approaches |
@max-sixty yeah -- I should have been more clear. While you can run Argo behind IAP it cannot not (as far as I can tell) integrate with Argo's authentication systems, so you still have to log in after logging in to Google. I could definitely be wrong but I've spent a lot of time and dug through the code all to no avail. |
Ah, yes @dpkirchner , that makes sense. |
Posted this on the related comment but it may also be useful here: I have this working using Dex AuthProxy but it's a bit of a hack. The problem I have yet to solve is how to use a GCP Service Account identity to call the ArgoCD API, either via the IAP exposed endpoint or directly backend-to-backend from StackStorm to ArgoCD API in the same cluster
|
I was able to get GCP IAP to integrate with ArgoCD without the extra login hop. Once a user logs in with their Google credentials, it redirects them to the application homepage. However, this solution disables the dex server & and RBAC configs. If you need either, this isn't the solution. Here is my example helm
Also note, this was configured with the official ArgoCD Helm chart version number |
I have been able to set up access to Argo on a GKE cluster with a Google Cloud Identity Access Proxy. Currently, the argo server runs in auth client mode. It looks like the IAP proxy is transparent for argo in that case.
I am confused about how to make argo "aware" of the upstream IAP proxy and use the SSO argo feature.
Did anyone has already configured an argo cluster with Google IAP?
Currently running on Argo 2.10.2 and planning to upgrade to 2.12 once it's released.
The text was updated successfully, but these errors were encountered: