Comments (5)
christianh814
commented on June 28, 2024
@mattpoel Are you using direct OIDC setup or are you doing it with Dex? (Judging from the output I assume it's OIDC directly but want to make sure)
from argo-cd.
mattpoel
commented on June 28, 2024
@christianh814 my trust configuration looks like the following:
apiVersion: openunison.tremolo.io/v1
kind: Trust
metadata:
name: argocd
namespace: openunison
spec:
accessTokenSkewMillis: 120000
accessTokenTimeToLive: 1200000
authChainName: login-service
clientId: argocd
codeLastMileKeyName: lastmile-oidc
codeTokenSkewMilis: 60000
publicEndpoint: true
redirectURI:
- https://argo.demo.domain.com/auth/callback
- http://localhost:8085/auth/callback
signedUserInfo: true
verifyRedirect: true
and the configmap for the OIDC configuration:
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
namespace: argocd
labels:
app.kubernetes.io/name: argocd-cm
app.kubernetes.io/part-of: argocd
data:
url: https://argo.demo.domain.com
oidc.config: |-
name: OpenUnison
issuer: https://k8sou.demo.domain.com/auth/idp/k8sIdp
clientID: argocd
requestedScopes: ["openid", "profile", "email", "groups"]
from argo-cd.
agaudreault
commented on June 28, 2024
Usually, tls: failed to verify certificate: x509: certificate signed by unknown authority errors indicates that https://k8sou.demo.domain.com/auth/idp/k8sIdp/.well-known/openid-configuration does not have a valid trusted certificate. You can try to reproduce with curl from a container running where argo-cd is deployed. If you need to add --insecure, then you will either need a certificate trusted by a known CA, or add the root CA to the trust store.
https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#repositories-using-self-signed-tls-certificates-or-are-signed-by-custom-ca might be a way that works for argo. It is documented for repository, but since the server is making the call to the oidc provider, I think it might work too.
from argo-cd.
mattpoel
commented on June 28, 2024
@agaudreault this was also my thinking, but I already spun up a throwaway netshoot pod in the argocd namespace to check on that, and the certificate/request to the URL was fine 😐
I now thought, a couple of restarts and re-applying the configuration can't do any harm and by:
- Removing the OIDC configuration from the
argocd-cmConfigMap. - Deleting the
argocd-serverpod (to get a new one running). - Re-adding the OIDC configuration to the
argocd-cmConfigMap. - Deleting the
argocd-serverpod again to get a new one up and running. - Reloading my ArgoCD browser tab.
💥 I was in (because I had already signed on in OpenUnison).
I guess the restarts of the argocd-server pod fixed this. According to documentation the configuration can be done without any restarts, but in case somebody might end up with the same problem, give it a try 😉
Thanks for your support! @agaudreault @christianh814
from argo-cd.
Kampe
commented on June 28, 2024
I too am running into this with my sso provider as I use self signed certs I assume there's either a way to tell Dex to not verify or I guess just mount the crt.
from argo-cd.
Related Issues (20)
- [2.12-RC1] "revision not found" error when calling Application API RevisionMetadata
- applicationset-controller update to latest version after 6.17, get fatal error: Could not read from remote repository
- how to fix? HOT 1
- Fail to block share resource app when syncing app right after creating it
- [Docs] incorrect regex to get currentVersion
- ReadTheDocs all old version js file is not same with latest version.
- After upgrading from `2.10.12` to `2.11` all applications sourced from github stopped working due to `failed to get git client for repo https://github.com/cxxx.git`
- Unable to deploy or add oci enable helm repository presented in Harbor's project(private/public) HOT 1
- error HOT 2
- Upon upgrading from EKS 1.29 to 1.30 argocd is marking assigned nodeports as out of sync HOT 5
- RBAC policy not honored for Google SSO logged in user, member of particular group HOT 4
- not able to connect with public github repo HOT 2
- UID not unique error when trying to build images on Linux systems
- Error syncing `Job` due to `spec.podReplacementPolicy: field not declared in schema`
- Add pull request state to the github pull request generator HOT 3
- ApplicationSet suddenly deletes applications HOT 4
- argocd app create --dest-name command is not idempotent HOT 2
- allowed concurrent proccessing for plugins
- After upgrade to 2.11.3 couldn't find cmp-server plugin
- Support git webhook on Applicationsets for gitea/forgejo
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from argo-cd.