argo-helm
argo-helm copied to clipboard
Keycloak integration fails with the error "x509: certificate signed by unknown authority"
Describe the bug
Hi Everyone, I am trying to integrate Argo-workflow with Keycloak. I am using this repo https://github.com/argoproj/argo-helm/tree/main/charts/argo-workflows. The pod argo-keyclock-argo-workflows-server is failing with this error
Get "https://keycloak.test.com/auth/realms/argocd/.well-known/openid-configuration": x509: certificate signed by unknown authority Error: Get "https://keycloak.test.com/auth/realms/argocd/.well-known/openid-configuration": x509: certificate signed by unknown authority
I couldn't find any option in the helm chart's values.yaml file to pass the custom root cert. But there is an option in argo command to pass the custom certs "--certificate-authority string Path to a cert file for the certificate authority" (edited)
What is the equivalent helm option to --certificate-authority?
Thanks Inadvance, Yogendra.
Related helm chart
argo-workflows
Helm chart version
0.16.7
To Reproduce
Try to integrate the argo workflow with keycloak
Expected behavior
Argo should be able to talk to keycloak
Screenshots
No response
Additional context
No response
Argo Workflows server has limited, unfinished support for serving TLS. In short, it only supports self-signed certificates right now. You will be better off fronting it with some sort TLS-terminating proxy.
Thanks for the reply @vladlosev! Thats what I am doing currently, we are having a nginx ingress controller which takes care of SSL termination. The below command is used to start the workflow
helm install --debug argo-keyclock argo/argo-workflows --set server.ingress.hosts[0]=argo.test.com --set server.ingress.ingressClassName=nginx --set server.serviceAccount.create=true --set server.ingress.enabled =true --set server.secure=true --set server.serviceAccount.name="argo-server" -n argo --create-namespace
But here the problem is how to add the root CA of keycloak to the truststore of the argo workflow? The option --certificate-authority is available with the argo command, but I couldn't find the equivalent option in helm values.yaml?
That is the client side option; it's not used by the server
command.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.