Loading...

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 1.6.1, 1.4.12, 1.5.6, 1.7.0
Affects Version/s: 1.6.0, 1.4.11, 1.5.5
Component/s: Operator
Labels:
- rn-done-known-issue
- workaround

Story Points:
5
Blocked:
False
Blocked Reason:
None
Ready:
False
Release Note Text:

Hide
Red Hat OpenShift GitOps Operator can make use of RHSSO (KeyCloak) through OIDC in addition to Dex. However, with a recent security fix applied, the certificate of RHSSO cannot be validated when it is setup with a certificate which is not signed by one of the well known certificate authorities.

With this release, Users can provide a custom certificate which will be used in verifying the Keycloak's TLS certificate when communicating with it. User can add the rootCA to their Argo CD custom resource `.spec.keycloak.rootCA` field. The operator reconciles to this change and updates the `oidc.config` in `argocd-cm` configmap with the PEM encoded root certificate.

!!! note
    Argo CD server pod should be restarted after updating the `.spec.keycloak.rootCA`.

Please refer to the below example:

```yaml
apiVersion: argoproj.io/v1alpha1
kind: ArgoCD
metadata:
  name: example-argocd
  labels:
    example: basic
spec:
  sso:
    provider: keycloak
    keycloak:
     rootCA: |
       ---- BEGIN CERTIFICATE ----
       This is a dummy certificate
       Please place this section with appropriate rootCA
       ---- END CERTIFICATE ----
  server:
    route:
      enabled: true
```

Show
Red Hat OpenShift GitOps Operator can make use of RHSSO (KeyCloak) through OIDC in addition to Dex. However, with a recent security fix applied, the certificate of RHSSO cannot be validated when it is setup with a certificate which is not signed by one of the well known certificate authorities. With this release, Users can provide a custom certificate which will be used in verifying the Keycloak's TLS certificate when communicating with it. User can add the rootCA to their Argo CD custom resource `.spec.keycloak.rootCA` field. The operator reconciles to this change and updates the `oidc.config` in `argocd-cm` configmap with the PEM encoded root certificate. !!! note     Argo CD server pod should be restarted after updating the `.spec.keycloak.rootCA`. Please refer to the below example: ```yaml apiVersion: argoproj.io/v1alpha1 kind: ArgoCD metadata:   name: example-argocd   labels:     example: basic spec:   sso:     provider: keycloak     keycloak:      rootCA: |        ---- BEGIN CERTIFICATE ----        This is a dummy certificate        Please place this section with appropriate rootCA        ---- END CERTIFICATE ----   server:     route:       enabled: true ```

Sprint:
GITOPS Sprint 223, GITOPS Sprint 224

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Problem description:

Single Sign On with GitOps Operator can fail with the error message "x509: certificate signed by unknown authority" under the following circumstances:

You are using RHSSO (KeyCloak) as SSO provider and
You are using a self-signed certificate for your route endpoints, or you are using a private CA to issue certificates

This behavior is a result of a security fix in Argo CD, which enforces a strict validation of TLS certificates on the configued OIDC endpoints.

Workaround & Mitigation

There are multiple workarounds available:

For OpenShift GitOps 1.6 and above, you can disable TLS validation for the OIDC (Keycloak/RHSSO) endpoint in the ArgoCD spec:
```
spec:
  extraConfig:
    oidc.tls.insecure.skip.verify: "true"
```

For OpenShift GitOps 1.5 and below, you need to patch the argocd-cm ConfigMap in your instance's namespace as follows
```
oc patch configmap argocd-cm --patch='{"data": {"oidc.tls.insecure.skip.verify": "true"}}'     
```