This PR hopefully puts an end to the Argo CD SSO saga. Here's how.
HTTPs. Updated Argo CD configuration to use HTTPs when performing the OIDC code grant flow. This is because as of #207, we have a proper TLS certificate, so we can use HTTPs instead of plain HTTP.
Keycloak. Reconfigured Argo CD OIDC client in the master realm to use HTTPs. Also both master and kitt4sme realms now only accept HTTPs connections---i.e. in the login config of both realms, "Require SSL" is set to "all requests".
TLS cert. Added *.collab-cloud.eu cert to the ones Argo CD trusts.
Server version. Downgraded from 2.7.0-rc1 to latest official release (2.6.7) as 2.7.0 is a pre-release still actively being worked on.
With these fixes in place, you can now log into Argo CD through Keycloak over HTTPs.
See also:
209
212
210
215
220
223
229
Note
Collab cloud certificate. Argo CD will call the configured issuer to retrieve OIDC config (/.well-known/openid-configuration) and exchange grant codes for proper auth tokens. If the issuer field is an HTTPs URL, Argo CD will try validating the server TLS cert. If the server cert was signed by a root or intermediate authority not known to Argo CD, validation will fail. By default, Argo CD looks for the CAs bundled with the Docker image. Unfortunately, recent images don't bundle the SSL.com intermediate authority that signed our Kitt4sme cert, which makes validation fail with this error message
Luckily, recent Argo CD versions let you add your OIDC provider's cert to the ones Argo CD trusts through the rootCA field. In our case this field contains the *.collab-cloud.eu cert, the same as the one we use for the Istio gateway.
This PR hopefully puts an end to the Argo CD SSO saga. Here's how.
master
realm to use HTTPs. Also bothmaster
andkitt4sme
realms now only accept HTTPs connections---i.e. in the login config of both realms, "Require SSL" is set to "all requests".*.collab-cloud.eu
cert to the ones Argo CD trusts.2.7.0-rc1
to latest official release (2.6.7
) as2.7.0
is a pre-release still actively being worked on.With these fixes in place, you can now log into Argo CD through Keycloak over HTTPs.
See also:
209
212
210
215
220
223
229
Note
Collab cloud certificate. Argo CD will call the configured issuer to retrieve OIDC config (/.well-known/openid-configuration) and exchange grant codes for proper auth tokens. If the issuer field is an HTTPs URL, Argo CD will try validating the server TLS cert. If the server cert was signed by a root or intermediate authority not known to Argo CD, validation will fail. By default, Argo CD looks for the CAs bundled with the Docker image. Unfortunately, recent images don't bundle the
SSL.com
intermediate authority that signed our Kitt4sme cert, which makes validation fail with this error messageLuckily, recent Argo CD versions let you add your OIDC provider's cert to the ones Argo CD trusts through the
rootCA
field. In our case this field contains the*.collab-cloud.eu cert
, the same as the one we use for the Istio gateway.