Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-2212

Support setting root CA certificate for OIDC providers

    XMLWordPrintable

Details

    • Story
    • Resolution: Duplicate
    • Critical
    • 1.6.1, 1.4.12, 1.5.6, 1.7.0
    • None
    • Operator
    • None
    • 5
    • False
    • None
    • False
    • GITOPS Sprint 223

    Description

      A recent security fix in Argo CD has introduced strict validation of TLS certificates of the OIDC provider. GitOps Operator can make use of RHSSO (KeyCloak) through OIDC in addition to Dex. However, with the security fix applied, the certificate of RHSSO cannot be validated in some scenarios (e.g. self-signed certificate, custom enterprise CA, etc).

      Upstream users can specify the CA certificate used for validation in the rootCA property of oidc.config in the argocd-cm ConfigMap, see https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#configuring-a-custom-root-ca-certificate-for-communicating-with-the-oidc-provider

      This setting should be exposed in the Operand, so users of GitOps Operator can specify whatever root CA certificate was used to issue the RHSSO certificate.

      Attachments

        Issue Links

          is related to

          Bug - A problem that impairs or prevents the functions of the product. GITOPS-2214 Keycloak/RHSSO login yields in certificate signed by unknown authority

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Activity

            People

              aveerama@redhat.com Abhishek Veeramalla
              jfischer@redhat.com Jann Fischer
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: