Skip to main content
Sign in

Enable client authentication for Argo Workflows UI access

  • Updated

Goal

Enable client-based authentication for the Argo Workflows UI in a Fusion 5.x Kubernetes deployment. This allows secure API or UI access when port-forwarding to the Argo server.

 

Environment

  • Fusion 5.9.x and above

  • Kubernetes (any certified distribution; tested on AKS, EKS, GKE)

  • Argo Workflows installed via Lucidworks Fusion Helm chart

 

Guide

Configure Argo server for client authentication

To use Kubernetes bearer tokens with Argo Workflows, the Argo server must be switched to client authentication mode.

Run the following kubectl patch command to modify the Argo server deployment to include the --auth-mode=client argument:

kubectl patch deployment <argo-server-deployment> \
 -n <namespace> \
 --type='json' \
 -p='[{"op": "replace", "path": "/spec/template/spec/containers/0/args", "value": ["server", "--auth-mode=client"]}]'

 

Identify the service account

Confirm the service account name used by the Argo server pod:

kubectl get pod <argo-server-pod-name> -n <namespace> -o yaml | grep serviceAccount

You should see values like:

serviceAccount: <argo-server-service-account>
serviceAccountName: <argo-server-service-account>

Example-

Verify service account secrets

Check if the service account has a token secret associated:

kubectl get sa <argo-server-service-account> -n <namespace>

If the SECRETS column shows 0, create a token secret manually.

 

Create a role binding

Grant the service account the necessary permissions by binding it to the admin cluster role:

 

kubectl create rolebinding argo-server-admin \
  --clusterrole=admin \
  --serviceaccount=<namespace>:<argo-server-service-account> \
  -n <namespace>

 

Create and extract a Kubernetes bearer token

Use the following command to generate the token string:

ARGO_TOKEN="Bearer $(kubectl get secret <token-secret-name> \
  -n <namespace> \
  -o=jsonpath='{.data.token}' | base64 --decode)"

You can output the token with:

echo $ARGO_TOKEN

 

Port-forward to Argo server

To access the Argo UI or API locally, forward the service port:

kubectl port-forward svc/<argo-server-service> -n <namespace> 2746:2746

Access the UI at https://localhost:2746.

 

Use the bearer token for authentication

Pass the bearer token in your API request or UI authentication:

curl https://localhost:2746/api/v1/workflows/<namespace> \
  -H "Authorization: $ARGO_TOKEN"

To access the UI in client mode, paste the full Bearer token when prompted.

 

Additional resources

Related articles

Powered by Zendesk