-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
argo with SSO login to provider with internal CA throws x509: certificate signed by unknown authority" #4447
Comments
I'm pretty sure you'll need to mount a volume with your certificates. Maybe something like this: https://medium.com/faun/mount-ssl-certificates-in-kubernetes-pod-with-secret-8aca220896e6 |
@alexec that did the trick thank you. |
I have done the same configurations .but instead of https I am trying with http. time="2020-12-29T07:15:07.029Z" level=info msg="finished unary call with code Unauthenticated" error="rpc error: code = Unauthenticated desc = token not valid for running mode" grpc.code=Unauthenticated grpc.method=GetVersion grpc.service=info.InfoService grpc.start_time="2020-12-29T07:15:07Z" grpc.time_ms=0.17 span.kind=server system=grpc But I am getting the above error when I hit the argo-server url. Any suggestions what would have been wrong? |
@dsetty25 can you try in Incognito mode please? |
Hi , I tried in incognito as wellbut same issue exists. Currently I have added in server-deployment.yaml And in values.yaml sso: And in keycloak ui , I have created client and client credentials. kubectl create secret generic "argo-server-sso" --from-literal=client-secret=9a9c60ba-647d-480c-b6fa-82c19caad26a After hitting the argo server url,manually I need to click on login option but after that keycloak page appears and then again a popup will come "Failed to login:Unauthorized" |
@giordyb Hi, I have same SSO self signed issue and trying to mount the CA but some how it is failing. Can you please share the configuration for mounting the cert and passing cert to argo server startup? |
Hi @allapavan1208 you need to create a configmap (es. myca) with the ca cert and then modify the deployment like this:
|
Can you give a detailed explanation how to fix it , I'm facing the same issue. |
I showed the fix in my previous post, you need to mount your own ssl CA in the container and mount it as /etc/ssl/certs/ca.crt |
so my question is , how do i generate or how where from should i export this CA certs ,? |
You need to get/export the CA that signed the SSL certificate that is installed on your SSO authenticator and add it to the Argo Server container as explained above. Unfortunately I don't know anything about your specific configuration so I cannot help you further. In my case the Keycloak server's certificate was internal and it was signed by the CA created by Active Directory certificate server. |
That's makes more sense, thanks alot. |
I have same issue for 3 month |
Summary
I am trying to configure ARGO to authenticate via SSO to an internal Keycloak server. The keycloak server certificates are signed by an internal CA.
I added this section in the workflow-controller-configmap:
and in the argo-server deployment I changed the args as following:
after applying the configmap and changing the deployment the argo-server it starts but goes on a crash-loop with the following error:
is there a way to inject the CA in argo server other than having to create a custom docker image?
Diagnostics
What Kubernetes provider are you using?
1.16.8
What version of Argo Workflows are you running?
2.11.6
Message from the maintainers:
Impacted by this bug? Give it a 👍. We prioritise the issues with the most 👍.
The text was updated successfully, but these errors were encountered: