I follow the official guide on how to install Argo Workflow. In the official guide, you can only run it locally.
I try to edit the install.yaml file and I add a LoadBalancer, but it won't run through it. Only runs by forwarding the port.
Any idea or guide on how to run argo workflow publicly?
I'm using EKS Cluster, AWS.
The guide I followed is: https://argoproj.github.io/argo-workflows/quick-start/
Check the docs in here.
It seems to me you will first want to use the Argo workflow UI without any extra Ingress or AuthN work.
I'll devide my answer into 3 parts.
The answer to your question on how to make argo workflow publicly?
Is answered in Phase 2.
Step (1): Disable client AuthN
The argo-server (and thus the UI) defaults to client authentication so let's first disable it.
You can add the following setup in the Helm chart values:
server.extraArgs: [--auth-mode=server]
Like described here.
Or you can patch the deployment directly like described here:
kubectl patch deployment \
argo-server \
--namespace argo \
--type='json' \
-p='[{"op": "replace", "path": "/spec/template/spec/containers/0/args", "value": [
"server",
"--auth-mode=server"
]}]'
Step (2): Disable TLS. Add this to the Helm chart setting:
server:
secure: false
Read more in here.
Step (3): Port-forward to the UI
We have no Ingress setup yet so you will have to port-forward to the argo-workflows-server-xyz pod directly:
kubectl -n argo port-forward deployment/argo-server 2746:2746
More in here.
Here we will go one step further and ensure we have Ingress route that will create the relevant record on the AWS load balancer so you can connect to the UI from outside.
Step (1): Add Ingress controller and a DNS server. I will provide the relevant setup in the Argo Workflow chart and will add references to relevant libraries you can use.
First of all install a tool like ExternalDNS which helps to configure public DNS servers with information about exposed your K8S services/Ingresses so they can discovered from outside.
Then add an ingress controller like ingress-nginx that will perform the wiring between your ingress resource to your DNS server.
It is recommended to also add a tool like cert manager so you can expose your endpoint behind Https.
Step (2): Add an Ingress resource to the Argo workflow settings.
Add the following section to the Argo WF server section in the Helm chart:
server:
secure: true # <-- I think TLS is relevant also for DEV phase
extraArgs: [--auth-mode=server]
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: cluster-issuer-staging
nginx.ingress.kubernetes.io/backend-protocol: https
ingressClassName: ingress-nginx
hosts:
- '<override-me>'
paths:
- /
pathType: Prefix
tls:
- secretName: argoworkflows-ingress-tls
hosts:
- '<override-me>'
Instead of the '' places you will have to provide a url that is a combination of your UI prefix (Example: my-cool-argowf) and the domain you have for ExternDNS (Example: dev.mydomain) - to complete the form of: my-cool-argowf-ui.dev.mydomain
The steps below should also be done in DEV environment.
Step (1): Change the Server AuthN method
You will have to switch the Helm chart value:
From:
server.extraArgs: [--auth-mode=server]
To:
--auth-mode=sso or --auth-mode=client
From here:
client - requires clients to provide their Kubernetes bearer token and use that.
sso - since v2.9, use single sign-on, this will use the same service account as per "server" for RBAC. We expect to change this in the future so that the OAuth claims are mapped to service accounts.
Step (2): Implemenet SSO or Client Auth methods.
A full step by step guide is behind the scope of this question. But I'll refer you to relevant instructions: