Add config supporting OIDC Client certificate/key

[ethanchowell]

Summary

Add a config input for OIDC client certificates/keys.

Motivation

I'm using Keycloak to control access to my argo-cd instance, and I'd like to have that Keycloak sit behind an Istio Gateway configured for Mutual TLS so that I allow Istio to handle the entirety of TLS at the access point of my cluster because my environments use PKI for user auth. As is, I have to configure a separate Gateway with Passthrough TLS and allow Keycloak to handle TLS so that argo-cd can make requests without client certs. I don't want to do this because now I have extra certs to manage, additional networking configs and considerations, and extra stuff to debug around TLS connections. Allowing argo-cd to use a provided client certificate/key pair would help simplify the networking config when mTLS is required for OIDC Providers.

Proposal

The OIDCConfig already allows for CA Certs for external providers, so we could add config for a client cert/key there https://github.com/argoproj/argo-cd/blob/0cc0d46212f090d03147eeadf5705dc7fe138ee9/util/settings/settings.go#L180. If I remember correctly, this is done in a ConfigMap though, so maybe the client cert/key end up in a secret since there's a private key involved?

[obeyler]

+1

[ManuHeel]

+1 too

We've got a Keycloak behind mTLS too here and this is blocking us to setup RBAC and OIDC connectivity with KeyCloak and ArgoCD... I've tried setting up a TLS client certificate with the domain as a certificate for the Git repositories but it's not in the same Pod, the argocd-repo-server uses these but they aren't setup for the argocd-server. I think it should be possible to leverage the same setup that's in the argocd-repo-server for client certificates inside the argocd-server, either specifically for OIDC providers or generally for any hostname/domain wildcard HTTPS connectivity.