Make ArgoCD authenticated using AWS Cognito

Md Asraful Haque (Sohel) - Sep 1 - - Dev Community

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. If you install the argocd using the official guide and expose it using ALB and Route53, it will be open to anyone knowing the url.

(If you want to know how to expose some EKS application using ALB and Route53 - see the blog post of exposing tekton-dashboard)

The Goal of this blog is to show how we can make the argoCD protected from public access using AWS Cognito and also control the access eg read/write access.

Pre-Requisite

  • EKS Cluster (or any other k8s cluster)
  • Kubectl is configured at your local machine
  • ArgoCD is installed at the cluster

Step by Step

Setup AWS Cognito

Follow the steps from this blog post on how to setup AWS Cognito for argoCD application.

Get CLIENT_ID, CLIENT_SECRET and oidc-issuer-url from aws cognito to be used in later steps.

Create Users at AWS Cognito

Go to the user pool and create two groups eg named argocd-admin and argocd-reader. Add the corresponding users to these groups ie add some admin users to argocd-admin group and add some read-only user at argocd-reader. The read-only users can't create application at argoCD console.

Update argoCD config

Now we have to edit argocd-cm and argocd-rbac-cm configMap.
You will get the samples at this github repo.
So steps would be:

  • Clone the git repository
  • go to aws-cognito-config dir
  • Get the clientID, clientSecret and issuer url from previous cognito-setup step and fill the oidc.config at argocm.yaml file
  • The last field url (at configMap) should be the domain url with which you will access the argocd console eg. https://argocd.myekscluster.com.

  • Now apply the configurations by :

$ kubectl apply -n argocd -k .
Enter fullscreen mode Exit fullscreen mode
  • To take effect immediately, you can restart the argocd server pod ie. get the pods
$kubectl get pods -n argocd | grep argocd-server
Enter fullscreen mode Exit fullscreen mode

Then delete the pods eg if your argocd-server pod is argocd-server-6d879b555c-srbv5

$ kubectl delete pod -n argocd argocd-server-6d879b555c-srbv5
Enter fullscreen mode Exit fullscreen mode

That's it, Now if you hit the argocd url eg. https://argocd.myekscluster.com, you will see the button login with Cognito and if you enter the correct user and password you can login !!! 🎉.

References:
https://medium.com/@devopsrockers/argocd-sso-config-with-aws-cognito-c51cade75cef
https://docs.aws.amazon.com/cognito/latest/developerguide/getting-started-user-pools.html

. . . .