feat: enable specifying root ca for oidc (#6712)

[clive-jevons]

When configuring an external OIDC provider which uses a private PKI
for its certificates it was not possible to properly verify the certificate
being served. Also, when using ArgoCD in insecure mode, e.g. when running
behind istio for providing mTLS, this resulted in errors.

Closes [6713]

Issue: #6713

Note on DCO:

If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the Details link next to the DCO action for instructions on how to resolve this.

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• Optional. My organization is added to USERS.md.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).

[codecov]

Codecov Report

Merging #6712 (c48c569) into master (1ab85de) will decrease coverage by 0.02%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##           master    #6712      +/-   ##
==========================================
- Coverage   41.12%   41.10%   -0.03%     
==========================================
  Files         157      157              
  Lines       21010    21021      +11     
==========================================
  Hits         8640     8640              
- Misses      11141    11152      +11     
  Partials     1229     1229              

Impacted Files	Coverage Δ
util/oidc/oidc.go	19.21% <0.00%> (+0.18%)	⬆️
util/settings/settings.go	46.57% <0.00%> (-0.82%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 1ab85de...c48c569. Read the comment docs.

[jannfis]

Thanks, I think this is useful! I had some comment, please see below.

[jannfis]

I think this does not justify a panic. My suggestion here would be to log an error, and just proceed returning an empty &tls.Config{}.

[clive-jevons]

Makes sense 😁 Have updated accordingly 👍 Thanks!

[clive-jevons]

@jannfis <- have you had a chance to check out the newest version? 😬

[dcarlet]

@clive-jevons

So, I'm just a random user who just spent a significant number of hours beating my head against the wall trying to figure out why I couldn't get ArgoCD to integrate with my cluster's Keycloak...I suppose I should have looked in the issues sooner! Thank you for this!

Reading through your changes, it looks like the way this would be implemented is that you have to specify the root CA cert in the OIDC.config block as raw text?

[clive-jevons]

@dcarlet yes, the PR, as it stands, would allow you to simply include the PEM block of the root CA to be used for trusting the Keycloak's cert.

[jannfis]

Sorry for coming back so late to this! Just one minor thing: Would this maybe require some documentation, so that it's not a hidden feature?

[jannfis]

Also, can you please rebase to HEAD so that the CI can successfully run? Thanks.

[clive-jevons]

@jannfis I've rebased and also added a section to the docs 👍 Thnx 😁

[jannfis]

LGTM @clive-jevons

Sincere apologies for the very long cycle on this one. Somehow, this PR has slipped off my focus :(

[clive-jevons]

LGTM @clive-jevons

Sincere apologies for the very long cycle on this one. Somehow, this PR has slipped off my focus :(

@jannfis <- Thanks for accepting and using the PR 😁🙏🏻