Argo Workflows Integration
GreenOps acts as a layer on top of Argo Workflows. To manage the authentication flow, the platform needs access to Argo Workflows, thus requiring a few minor changes.
These settings allow only GreenOps to embed Argo Workflows, while ensuring that other third parties cannot make requests or interact with Argo Workflows.
There are 2 options:
Use the Hardened Argo Workflows Server Image
GreenOps provides an image of the Argo Workflows server. It is the same distribution as the OSS Argo Workflows server, with a few minor security/accessibility updates. The changes are described below, and can also be seen here.
Update Ingress Headers for the Argo Workflows Server
It is more secure to use the Argo Workflows server image distributed by GreenOps, but if you would like to set the Argo Workflows tweaks using ingress instead, that is also possible.
These are the updates that have to be made:
-
Content Security Policy:
Content-Security-Policy: default-src 'self' 'unsafe-inline'; img-src 'self'; frame-ancestors https://<GREENOPS_URL>
frame-ancestors was added in the Content-Security-Policy to ensure that only GreenOps can embed Argo Workflows via iframe.
-
X Frame Options:
X-Frame-Options
should be cleared from the headers. the content security policy makes this largely obsolete. -
Accessible Endpoint for Checking Auth: For the API endpoint
/api/v1/info
, add the headersAccess-Control-Allow-Origin
tohttps://<GREENOPS_URL>
, andAccess-Control-Allow-Credentials
totrue
.This gives GreenOps an endpoint that 1) provides a way to check if a user is logged in, or needs to be redirected to login and 2) doesn't share any sensitive information.
-
Same Site Policy: Set the cookie policy to
SameSite=None;Secure
. GreenOps needs to be able to verify if a user is logged in. This update is necessary so the request used above will go through properly. -
Set the built-in
--access-control-allow-origin
flag tohttps://<GREENOPS_URL>
in the Argo Workflows deployment. Note: This is not an ingress configuration.
These settings allow only GreenOps to embed Argo Workflows, while ensuring that other third parties cannot make requests or interact with Argo Workflows.