Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. If you install the argocd using the official guide and expose it using ALB and Route53, it will be open to anyone knowing the url.
(If you want to know how to expose some EKS application using ALB and Route53 - see the blog post of exposing tekton-dashboard)
The Goal of this blog is to show how we can make the argoCD protected from public access using AWS Cognito and also control the access eg read/write access.
Pre-Requisite
- EKS Cluster (or any other k8s cluster)
- Kubectl is configured at your local machine
- ArgoCD is installed at the cluster
Step by Step
Setup AWS Cognito
Follow the steps from this blog post on how to setup AWS Cognito for argoCD application.
Get CLIENT_ID, CLIENT_SECRET and oidc-issuer-url
from aws cognito to be used in later steps.
Create Users at AWS Cognito
Go to the user pool and create two groups eg named argocd-admin
and argocd-reader
. Add the corresponding users to these groups ie add some admin users to argocd-admin
group and add some read-only user at argocd-reader
. The read-only users can't create application at argoCD console.
Update argoCD config
Now we have to edit argocd-cm
and argocd-rbac-cm
configMap.
You will get the samples at this github repo.
So steps would be:
- Clone the git repository
- go to
aws-cognito-config
dir - Get the
clientID
,clientSecret
andissuer
url from previous cognito-setup step and fill theoidc.config
at argocm.yaml file The last field
url
(at configMap) should be the domain url with which you will access the argocd console eg.https://argocd.myekscluster.com
.Now apply the configurations by :
$ kubectl apply -n argocd -k .
- To take effect immediately, you can restart the
argocd server pod
ie. get the pods
$kubectl get pods -n argocd | grep argocd-server
Then delete the pods eg if your argocd-server pod is argocd-server-6d879b555c-srbv5
$ kubectl delete pod -n argocd argocd-server-6d879b555c-srbv5
That's it, Now if you hit the argocd url eg. https://argocd.myekscluster.com
, you will see the button login with Cognito and if you enter the correct user and password you can login !!! 🎉.
References:
https://medium.com/@devopsrockers/argocd-sso-config-with-aws-cognito-c51cade75cef
https://docs.aws.amazon.com/cognito/latest/developerguide/getting-started-user-pools.html