c0c0n3
commented
1 year ago Demo
- Browse to https://kitt4sme.collab-cloud.eu/argocd
- Click on the "Login via Keycloak" button
- Your browser should get redirected to the Keycloak login page.
- Enter your credentials in the login form and submit.
- Your browser should be redirected back to Argo CD and you should see the "apps" page.
RyanKelvinFord
This PR hopefully puts an end to the Argo CD SSO saga. Here's how.
masterrealm to use HTTPs. Also bothmasterandkitt4smerealms now only accept HTTPs connections---i.e. in the login config of both realms, "Require SSL" is set to "all requests".*.collab-cloud.eucert to the ones Argo CD trusts.2.7.0-rc1to latest official release (2.6.7) as2.7.0is a pre-release still actively being worked on.With these fixes in place, you can now log into Argo CD through Keycloak over HTTPs.
See also:
209
212
210
215
220
223
229
Note
Collab cloud certificate. Argo CD will call the configured issuer to retrieve OIDC config (/.well-known/openid-configuration) and exchange grant codes for proper auth tokens. If the issuer field is an HTTPs URL, Argo CD will try validating the server TLS cert. If the server cert was signed by a root or intermediate authority not known to Argo CD, validation will fail. By default, Argo CD looks for the CAs bundled with the Docker image. Unfortunately, recent images don't bundle the
SSL.comintermediate authority that signed our Kitt4sme cert, which makes validation fail with this error messageLuckily, recent Argo CD versions let you add your OIDC provider's cert to the ones Argo CD trusts through the
rootCAfield. In our case this field contains the*.collab-cloud.eu cert, the same as the one we use for the Istio gateway.