argo-helm icon indicating copy to clipboard operation
argo-helm copied to clipboard

Published 20 hours ago verified publisher icon argoproj

Keycloak integration fails with the error "x509: certificate signed by unknown authority"

Open yogendramummaneni opened this issue 1 year ago • 4 comments

Describe the bug

Hi Everyone, I am trying to integrate Argo-workflow with Keycloak. I am using this repo https://github.com/argoproj/argo-helm/tree/main/charts/argo-workflows. The pod argo-keyclock-argo-workflows-server is failing with this error

Get "https://keycloak.test.com/auth/realms/argocd/.well-known/openid-configuration": x509: certificate signed by unknown authority Error: Get "https://keycloak.test.com/auth/realms/argocd/.well-known/openid-configuration": x509: certificate signed by unknown authority

I couldn't find any option in the helm chart's values.yaml file to pass the custom root cert. But there is an option in argo command to pass the custom certs "--certificate-authority string Path to a cert file for the certificate authority" (edited)

What is the equivalent helm option to --certificate-authority?

Thanks Inadvance, Yogendra.

Related helm chart

argo-workflows

Helm chart version

0.16.7

To Reproduce

Try to integrate the argo workflow with keycloak

Expected behavior

Argo should be able to talk to keycloak

Screenshots

No response

Additional context

No response

yogendramummaneni avatar Jul 13 '22 20:07 yogendramummaneni

Argo Workflows server has limited, unfinished support for serving TLS. In short, it only supports self-signed certificates right now. You will be better off fronting it with some sort TLS-terminating proxy.

vladlosev avatar Jul 13 '22 21:07 vladlosev

Thanks for the reply @vladlosev! Thats what I am doing currently, we are having a nginx ingress controller which takes care of SSL termination. The below command is used to start the workflow

helm install --debug argo-keyclock argo/argo-workflows --set server.ingress.hosts[0]=argo.test.com --set server.ingress.ingressClassName=nginx --set server.serviceAccount.create=true --set server.ingress.enabled =true --set server.secure=true --set server.serviceAccount.name="argo-server" -n argo --create-namespace

But here the problem is how to add the root CA of keycloak to the truststore of the argo workflow? The option --certificate-authority is available with the argo command, but I couldn't find the equivalent option in helm values.yaml?

yogendramummaneni avatar Jul 13 '22 21:07 yogendramummaneni

That is the client side option; it's not used by the server command.

vladlosev avatar Jul 13 '22 22:07 vladlosev

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] avatar Sep 13 '22 04:09 github-actions[bot]