Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: enable specifying root ca for oidc (#6712) #6712

Merged
merged 1 commit into from Dec 20, 2021
Merged

feat: enable specifying root ca for oidc (#6712) #6712

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
15 changes: 15 additions & 0 deletions docs/operator-manual/user-management/index.md
View file
Open in desktop
Expand Up @@ -372,6 +372,21 @@ You are not required to specify a logoutRedirectURL as this is automatically gen
!!! note
The post logout redirect URI may need to be whitelisted against your OIDC provider's client settings for ArgoCD.

### Configuring a custom root CA certificate for communicating with the OIDC provider

If your OIDC provider is setup with a certificate which is not signed by one of the well known certificate authorities
you can provide a custom certificate which will be used in verifying the OIDC provider's TLS certificate when
communicating with it.
Add a `rootCA` to your `oidc.config` which contains the PEM encoded root certificate:

```yaml
oidc.config: |
...
rootCA: |
-----BEGIN CERTIFICATE-----
... encoded certificate data here ...
-----END CERTIFICATE-----
```


## SSO Further Reading
Expand Down
5 changes: 1 addition & 4 deletions util/oidc/oidc.go
View file
Open in desktop
Expand Up @@ -107,10 +107,7 @@ func NewClientApp(settings *settings.ArgoCDSettings, cache OIDCStateStorage, dex
if err != nil {
return nil, fmt.Errorf("parse redirect-uri: %v", err)
}
tlsConfig := settings.TLSConfig()
if tlsConfig != nil {
tlsConfig.InsecureSkipVerify = true
}
tlsConfig := settings.OIDCTLSConfig()
a.client = &http.Client{
Transport: &http.Transport{
TLSClientConfig: tlsConfig,
Expand Down
22 changes: 22 additions & 0 deletions util/settings/settings.go
View file
Open in desktop
Expand Up @@ -111,6 +111,7 @@ type OIDCConfig struct {
RequestedScopes []string `json:"requestedScopes,omitempty"`
RequestedIDTokenClaims map[string]*oidc.Claim `json:"requestedIDTokenClaims,omitempty"`
LogoutURL string `json:"logoutURL,omitempty"`
RootCA string `json:"rootCA,omitempty"`
}

// DEPRECATED. Helm repository credentials are now managed using RepoCredentials
Expand Down Expand Up @@ -1392,6 +1393,27 @@ func (a *ArgoCDSettings) OAuth2ClientSecret() string {
return ""
}

func (a *ArgoCDSettings) OIDCTLSConfig() *tls.Config {
if oidcConfig := a.OIDCConfig(); oidcConfig != nil {
if oidcConfig.RootCA != "" {
certPool := x509.NewCertPool()
ok := certPool.AppendCertsFromPEM([]byte(oidcConfig.RootCA))
if !ok {
log.Warn("invalid oidc root ca cert - returning default tls.Config instead")
return &tls.Config{}
}
return &tls.Config{
RootCAs: certPool,
}
}
}
tlsConfig := a.TLSConfig()
if tlsConfig != nil {
tlsConfig.InsecureSkipVerify = true
}
return tlsConfig
}

func appendURLPath(inputURL string, inputPath string) (string, error) {
u, err := url.Parse(inputURL)
if err != nil {
Expand Down