Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-2214

Keycloak/RHSSO login yields in certificate signed by unknown authority

    XMLWordPrintable

Details

    • False
    • None
    • False
    • Hide
      Red Hat OpenShift GitOps Operator can make use of RHSSO (KeyCloak) through OIDC in addition to Dex. However, with a recent security fix applied, the certificate of RHSSO cannot be validated when it is setup with a certificate which is not signed by one of the well known certificate authorities.

      With this release, Users can provide a custom certificate which will be used in verifying the Keycloak's TLS certificate when communicating with it. User can add the rootCA to their Argo CD custom resource `.spec.keycloak.rootCA` field. The operator reconciles to this change and updates the `oidc.config` in `argocd-cm` configmap with the PEM encoded root certificate.

      !!! note
          Argo CD server pod should be restarted after updating the `.spec.keycloak.rootCA`.

      Please refer to the below example:

      ```yaml
      apiVersion: argoproj.io/v1alpha1
      kind: ArgoCD
      metadata:
        name: example-argocd
        labels:
          example: basic
      spec:
        sso:
          provider: keycloak
          keycloak:
           rootCA: |
             ---- BEGIN CERTIFICATE ----
             This is a dummy certificate
             Please place this section with appropriate rootCA
             ---- END CERTIFICATE ----
        server:
          route:
            enabled: true
      ```
      Show
      Red Hat OpenShift GitOps Operator can make use of RHSSO (KeyCloak) through OIDC in addition to Dex. However, with a recent security fix applied, the certificate of RHSSO cannot be validated when it is setup with a certificate which is not signed by one of the well known certificate authorities. With this release, Users can provide a custom certificate which will be used in verifying the Keycloak's TLS certificate when communicating with it. User can add the rootCA to their Argo CD custom resource `.spec.keycloak.rootCA` field. The operator reconciles to this change and updates the `oidc.config` in `argocd-cm` configmap with the PEM encoded root certificate. !!! note     Argo CD server pod should be restarted after updating the `.spec.keycloak.rootCA`. Please refer to the below example: ```yaml apiVersion: argoproj.io/v1alpha1 kind: ArgoCD metadata:   name: example-argocd   labels:     example: basic spec:   sso:     provider: keycloak     keycloak:      rootCA: |        ---- BEGIN CERTIFICATE ----        This is a dummy certificate        Please place this section with appropriate rootCA        ---- END CERTIFICATE ----   server:     route:       enabled: true ```
    • 5
    • GITOPS Sprint 223, GITOPS Sprint 224

    Description

      Problem description:

      Single Sign On with GitOps Operator can fail with the error message "x509: certificate signed by unknown authority" under the following circumstances:

      • You are using RHSSO (KeyCloak) as SSO provider and
      • You are using a self-signed certificate for your route endpoints, or you are using a private CA to issue certificates

      This behavior is a result of a security fix in Argo CD, which enforces a strict validation of TLS certificates on the configued OIDC endpoints.

      Workaround & Mitigation

      There are multiple workarounds available:

      • For OpenShift GitOps 1.6 and above, you can disable TLS validation for the OIDC (Keycloak/RHSSO) endpoint in the ArgoCD spec:
        spec:
          extraConfig:
            oidc.tls.insecure.skip.verify: "true"
      • ¬†For OpenShift GitOps 1.5 and below, you need to patch the argocd-cm ConfigMap in your instance's namespace as follows
        oc patch configmap argocd-cm --patch='{"data": {"oidc.tls.insecure.skip.verify": "true"}}'     

      Attachments

        Activity

          Public project attachment banner

            context keys: [headless, issue, helper, isAsynchronousRequest, project, action, user]
            current Project key: GITOPS

            People

              aveerama@redhat.com Abhishek Veeramalla
              jfischer@redhat.com Jann Fischer
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: