Open mcyrrer opened 2 years ago
Faced the same issue. A user had 30+ groups assigned in Azure AD so the default nginx buffer_size was not enough to handle it.
I think this could be resolved by using the userinfo endpoint via this proposal from my colleague:
Faced the same issue. A user had 30+ groups assigned in Azure AD so the default nginx buffer_size was not enough to handle it.
Which nginx did you bump this on? I've been doing it on our ingress controller and not having any luck.
The following annotation on my Argo CD Ingress resolved the 400 status code responses to the argocd
CLI for me:
nginx.ingress.kubernetes.io/server-snippet: |
large_client_header_buffers 4 100k;
While another approach would be to increase the default client_header_buffer_size
(docs) from 1k, this approach only allocates these larger buffers when necessary.
Discussed in https://github.com/argoproj/argo-cd/discussions/9288
argocd version
.Describe the bug We are using SSO through Azure AD and when we retrieve the full list of groups a users belongs to we get issues with the header size. All works well when we just claim the ApplicationGroups (=just a few groups) but not when we ask for SecurityGroup(=all groups that a user belongs to). After a long debugging session in looks like either the argocd cli or server does not like large header (in this case a large header with all the azure ad group claims).
How to reproduce
This is how to reproduce the issue without the need to use an login claim with many groups.
Expected behavior
Possible to use argocd cli with a user that belongs to a large number of azure ad groups.
Information
For the browser based experience we have managed to solve this by adding the row below to our Ingress
nginx.ingress.kubernetes.io/proxy-buffer-size: "20k"
But for the Argocd cli we get issues after the sso login flow
I have done some debugging and it looks to me that if the cli has a header with a size of ~8200 or more chars including the key the cli will fail. If there is fewer chars if works fine with the --grpc-web parameter.
All I get in the logs are in the nginx log:
I have nothing in the argocd-server log.
I think there is a something in the cli call that that does not manage to interpret the large header in the correct way.
Some information on the setup:
Ingress:
Version: