A recent security fix in Argo CD has introduced strict validation of TLS certificates of the OIDC provider. GitOps Operator can make use of RHSSO (KeyCloak) through OIDC in addition to Dex. However, with the security fix applied, the certificate of RHSSO cannot be validated in some scenarios (e.g. self-signed certificate, custom enterprise CA, etc).
Upstream users can specify the CA certificate used for validation in the rootCA property of oidc.config in the argocd-cm ConfigMap, see https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#configuring-a-custom-root-ca-certificate-for-communicating-with-the-oidc-provider
This setting should be exposed in the Operand, so users of GitOps Operator can specify whatever root CA certificate was used to issue the RHSSO certificate.
- is related to
GITOPS-2214 Keycloak/RHSSO login yields in certificate signed by unknown authority