New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: enable specifying root ca for oidc (#6712) #6712
feat: enable specifying root ca for oidc (#6712) #6712
Conversation
Codecov Report
@@ Coverage Diff @@
## master #6712 +/- ##
==========================================
- Coverage 41.12% 41.10% -0.03%
==========================================
Files 157 157
Lines 21010 21021 +11
==========================================
Hits 8640 8640
- Misses 11141 11152 +11
Partials 1229 1229
Continue to review full report at Codecov.
|
bacc7cb
to
2cc3377
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, I think this is useful! I had some comment, please see below.
util/settings/settings.go
Outdated
if !ok { | ||
panic("bad oidc root ca cert") | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this does not justify a panic. My suggestion here would be to log an error, and just proceed returning an empty &tls.Config{}
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense 😁 Have updated accordingly 👍 Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jannfis <- have you had a chance to check out the newest version? 😬
2cc3377
to
6124d21
Compare
6124d21
to
a69e725
Compare
So, I'm just a random user who just spent a significant number of hours beating my head against the wall trying to figure out why I couldn't get ArgoCD to integrate with my cluster's Keycloak...I suppose I should have looked in the issues sooner! Thank you for this! Reading through your changes, it looks like the way this would be implemented is that you have to specify the root CA cert in the OIDC.config block as raw text? |
@dcarlet yes, the PR, as it stands, would allow you to simply include the PEM block of the root CA to be used for trusting the Keycloak's cert. |
Sorry for coming back so late to this! Just one minor thing: Would this maybe require some documentation, so that it's not a hidden feature? |
Also, can you please rebase to |
When configuring an external OIDC provider which uses a private PKI for its certificates it was not possible to properly verify the certificate being served. Also, when using ArgoCD in insecure mode, e.g. when running behind istio for providing mTLS, this resulted in errors. Signed-off-by: Clive Jevons <clive@jevons-it.net>
a69e725
to
c48c569
Compare
@jannfis I've rebased and also added a section to the docs 👍 Thnx 😁 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM @clive-jevons
Sincere apologies for the very long cycle on this one. Somehow, this PR has slipped off my focus :(
@jannfis <- Thanks for accepting and using the PR 😁🙏🏻 |
When configuring an external OIDC provider which uses a private PKI for its certificates it was not possible to properly verify the certificate being served. Also, when using ArgoCD in insecure mode, e.g. when running behind istio for providing mTLS, this resulted in errors. Signed-off-by: Clive Jevons <clive@jevons-it.net>
When configuring an external OIDC provider which uses a private PKI
for its certificates it was not possible to properly verify the certificate
being served. Also, when using ArgoCD in insecure mode, e.g. when running
behind istio for providing mTLS, this resulted in errors.
Closes [6713]
Issue: #6713
Note on DCO:
If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the Details link next to the DCO action for instructions on how to resolve this.
Checklist: