refactor transports, add v2.5 to docs, other small nits

Signed-off-by: notfromstatefarm <86763948+notfromstatefarm@users.noreply.github.com>

cmd/argocd-dex/commands/argocd_dex.go

@@ -75,16 +75,16 @@ func NewRunDexCommand() *cobra.Command {
 			kubeClientset := kubernetes.NewForConfigOrDie(config)
 
 			if !disableTLS {
-				config, err := tls.CreateServerTLSConfig("/tls/tls.crt", "/tls/tls.key", tlsHostList)
+				config, err := tls.CreateServerTLSConfig("/tls/tls.crt", "/tls/tls.key", []string{"localhost", "dexserver"})
 				if err != nil {
 					log.Fatalf("could not create TLS config: %v", err)
 				}
 				certPem, keyPem := tls.EncodeX509KeyPair(config.Certificates[0])
-				err = ioutil.WriteFile("/tmp/tls.crt", certPem, 0600)
+				err = os.WriteFile("/tmp/tls.crt", certPem, 0600)
 				if err != nil {
 					log.Fatalf("could not write TLS certificate: %v", err)
 				}
-				err = ioutil.WriteFile("/tmp/tls.key", keyPem, 0600)
+				err = os.WriteFile("/tmp/tls.key", keyPem, 0600)
 				if err != nil {
 					log.Fatalf("could not write TLS key: %v", err)
 				}
@@ -143,8 +143,6 @@ func NewRunDexCommand() *cobra.Command {
 	return &command
 }
 
-var tlsHostList []string = []string{"localhost", "dexserver"}
-
 func NewGenDexConfigCommand() *cobra.Command {
 	var (
 		clientConfig clientcmd.ClientConfig

docs/operator-manual/tls.md

@@ -113,7 +113,7 @@ for the `argocd-repo-server`, containing at least the entries for
 `DNS:argocd-repo-server` and `DNS:argocd-repo-server.argo-cd.svc` depending
 on how your workloads connect to the repository server.
 
-## Configuring inbound TLS for argocd-dex-server
+## Configuring inbound TLS for argocd-dex-server > v2.5
 
 ### Inbound TLS options for argocd-dex-server
 
@@ -185,7 +185,7 @@ certificate stored in the `argocd-repo-server-tls` secret.
     mind that when you have to replace the certificate, all workloads have
     to be restarted in order to properly work again.
 
-### Configuring TLS to argocd-dex-server
+### Configuring TLS to argocd-dex-server > v2.5
 
 `argocd-server` communicates with the `argocd-dex-server` using an HTTPS API
 over TLS. By default, `argocd-dex-server` generates a non-persistent, self

util/oidc/oidc.go

@@ -102,19 +102,21 @@ func NewClientApp(settings *settings.ArgoCDSettings, dexServerAddr string, dexTl
 		return nil, fmt.Errorf("parse redirect-uri: %v", err)
 	}
 
+	transport := &http.Transport{
+		Proxy: http.ProxyFromEnvironment,
+		Dial: (&net.Dialer{
+			Timeout:   30 * time.Second,
+			KeepAlive: 30 * time.Second,
+		}).Dial,
+		TLSHandshakeTimeout:   10 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
+	}
+	a.client = &http.Client{
+		Transport: transport,
+	}
+
 	if settings.DexConfig != "" && settings.OIDCConfigRAW == "" {
-		a.client = &http.Client{
-			Transport: &http.Transport{
-				TLSClientConfig: dex.TLSConfig(dexTlsConfig),
-				Proxy:           http.ProxyFromEnvironment,
-				Dial: (&net.Dialer{
-					Timeout:   30 * time.Second,
-					KeepAlive: 30 * time.Second,
-				}).Dial,
-				TLSHandshakeTimeout:   10 * time.Second,
-				ExpectContinueTimeout: 1 * time.Second,
-			},
-		}
+		transport.TLSClientConfig = dex.TLSConfig(dexTlsConfig)
 		if strings.Contains(dexServerAddr, "://") {
 			a.client.Transport = dex.NewDexRewriteURLRoundTripper(dexServerAddr, a.client.Transport)
 		} else {
@@ -125,19 +127,7 @@ func NewClientApp(settings *settings.ArgoCDSettings, dexServerAddr string, dexTl
 			}
 		}
 	} else {
-		tlsConfig := settings.OIDCTLSConfig()
-		a.client = &http.Client{
-			Transport: &http.Transport{
-				TLSClientConfig: tlsConfig,
-				Proxy:           http.ProxyFromEnvironment,
-				Dial: (&net.Dialer{
-					Timeout:   30 * time.Second,
-					KeepAlive: 30 * time.Second,
-				}).Dial,
-				TLSHandshakeTimeout:   10 * time.Second,
-				ExpectContinueTimeout: 1 * time.Second,
-			},
-		}
+		transport.TLSClientConfig = settings.OIDCTLSConfig()
 	}
 	if os.Getenv(common.EnvVarSSODebug) == "1" {
 		a.client.Transport = httputil.DebugTransport{T: a.client.Transport}

util/session/sessionmanager.go

@@ -123,20 +123,21 @@ func NewSessionManager(settingsMgr *settings.SettingsManager, projectsLister v1a
 	if err != nil {
 		panic(err)
 	}
+	transport := &http.Transport{
+		Proxy: http.ProxyFromEnvironment,
+		Dial: (&net.Dialer{
+			Timeout:   30 * time.Second,
+			KeepAlive: 30 * time.Second,
+		}).Dial,
+		TLSHandshakeTimeout:   10 * time.Second,
+		ExpectContinueTimeout: 1 * time.Second,
+	}
+	s.client = &http.Client{
+		Transport: transport,
+	}
+
 	if settings.DexConfig != "" {
-		tlsConfig := dex.TLSConfig(dexTlsConfig)
-		s.client = &http.Client{
-			Transport: &http.Transport{
-				TLSClientConfig: tlsConfig,
-				Proxy:           http.ProxyFromEnvironment,
-				Dial: (&net.Dialer{
-					Timeout:   30 * time.Second,
-					KeepAlive: 30 * time.Second,
-				}).Dial,
-				TLSHandshakeTimeout:   10 * time.Second,
-				ExpectContinueTimeout: 1 * time.Second,
-			},
-		}
+		transport.TLSClientConfig = dex.TLSConfig(dexTlsConfig)
 		if strings.Contains(dexServerAddr, "://") {
 			s.client.Transport = dex.NewDexRewriteURLRoundTripper(dexServerAddr, s.client.Transport)
 		} else {
@@ -151,18 +152,7 @@ func NewSessionManager(settingsMgr *settings.SettingsManager, projectsLister v1a
 		if tlsConfig != nil {
 			tlsConfig.InsecureSkipVerify = true
 		}
-		s.client = &http.Client{
-			Transport: &http.Transport{
-				TLSClientConfig: tlsConfig,
-				Proxy:           http.ProxyFromEnvironment,
-				Dial: (&net.Dialer{
-					Timeout:   30 * time.Second,
-					KeepAlive: 30 * time.Second,
-				}).Dial,
-				TLSHandshakeTimeout:   10 * time.Second,
-				ExpectContinueTimeout: 1 * time.Second,
-			},
-		}
+		transport.TLSClientConfig = tlsConfig
 	}
 	if os.Getenv(common.EnvVarSSODebug) == "1" {
 		s.client.Transport = httputil.DebugTransport{T: s.client.Transport}