How to allow unsigned CA with SSO enabled

[sylock]

Summary

What happened/what you expected to happen?
I'm trying to configure SSO against an oauth 2 provider. That provider has an unsigned CA (this is a test environement). Argo server complains about it and refuse to start. I see that on dex you can set in the configmap the config "insecureCA: true" but I don't see such option neither in the workflow-controller-configmap or as an argument of the argo-server.

Can you help me?

What version of Argo Workflows are you running?
v3.1.3

Diagnostics

The logs of argo-server pod:

time="2021-09-23T14:10:14.062Z" level=info authModes="[sso]" baseHRef=/ managedNamespace= namespace=argo-wf-development secure=false
time="2021-09-23T14:10:14.062Z" level=warning msg="You are running in insecure mode. Learn how to enable transport layer security: https://argoproj.github.io/argo-workflows/tls/"
time="2021-09-23T14:10:14.062Z" level=info msg="config map" name=workflow-controller-configmap
Error: Get "https://kubernetes.default.svc/.well-known/openid-configuration": x509: certificate signed by unknown authority
Get "https://kubernetes.default.svc/.well-known/openid-configuration": x509: certificate signed by unknown authority
Usage:
  argo server [flags]

Examples:

See https://argoproj.github.io/argo-workflows/argo-server.md

Flags:
      --access-control-allow-origin string   Set Access-Control-Allow-Origin header in HTTP responses.
      --auth-mode stringArray                API server authentication mode. Any 1 or more length permutation of: client,server,sso (default [client])
      --basehref string                      Value for base href in index.html. Used if the server is running behind reverse proxy under subpath different from /. Defaults to the environment variable BASE_HREF. (default "/")

[... it continues on the usage]

What Kubernetes provider are you using?
I'm using openshift:
Client Version: 4.8.11
Server Version: 4.7.7
Kubernetes Version: v1.20.0+c8905da

What executor are you running? Docker/K8SAPI/Kubelet/PNS/Emissary
PNS

---

Message from the maintainers:

Impacted by this bug? Give it a 👍. We prioritise the issues with the most 👍.

[alexec]

We use gitHub.com/coreos/go-oidc. This does not support self-signed certificates.

You'll need to raise an issue with the upstream get this changed:

https://github.com/coreos/go-oidc/issues

[sylock]

Opened an issue there:
coreos/go-oidc#321

[ericchiang]

You can configure go-oidc's HTTP client with ClientContext

https://pkg.go.dev/github.com/coreos/go-oidc/v3/oidc#ClientContext

(This is the same strategy that x/oauth2 uses)

[alexec]

Thank you @ericchiang . Sounds like I was wrong.

@sylock would you be interested in submitting a PR to fix this?

[sylock]

@alexec Do you mean an empty PR so somebody else can take over it? (But I'm not sure how to create an empty PR). If not, I'm not a goland dev and I won't be able to fix this issue. Tell me how can I help (except dev).

[usr-av]

Did this change make into 3.2.3? I am getting the same error.

Keycloak for OIDC , using mkcert for local certifcate

I1031 22:59:49.619067       1 round_trippers.go:454] GET https://10.96.0.1:443/api/v1/namespaces/workflow/secrets/client-secret-secret 200 OK in 2 milliseconds
Error: Get "https://keycloak.amit.dev/auth/realms/myrealm-workflow/.well-known/openid-configuration": x509: certificate signed by unknown authority
Usage:
  argo server [flags]

Examples:

Get "https://keycloak.amit.dev/auth/realms/myrealm-workflow/.well-known/openid-configuration": x509: certificate signed by unknown authority
See https://argoproj.github.io/argo-workflows/argo-server/

I have attached mkcert rootCA to argo-server which should do something similar to below.

 curl https://keycloak.amit.dev/auth/realms/myrealm-workflow/.well-known/openid-configuration --cacert ../mkcert/rootCA.pem 

[jfb74]

@amit-va Based on the release changelogs and the v3.2.2 cherry pick it doesn't look like it has been in any of the releases yet. @alexec or someone more familiar with how this works could probably weigh in better here,

[nterra-paul]

If anyone wonders: This works now with v3.2.5 by adding insecureSkipVerify: true to the sso object described here: https://argoproj.github.io/argo-workflows/argo-server-sso/

sso:
  insecureSkipVerify: true 
  ...

Big thank you from my side - argo is really an awesome project!

[bartcode]

I was looking for this a month ago and ended up mounting the ca.pem. But I can now confirm the solution as provided by @nterra-paul works!

[jinnjwu]

If anyone wonders: This works now with v3.2.5 by adding insecureSkipVerify: true to the sso object described here: https://argoproj.github.io/argo-workflows/argo-server-sso/

sso:
  insecureSkipVerify: true 
  ...

Big thank you from my side - argo is really an awesome project!

this parameter is not working in 3.4.2

[neo502721]

If anyone wonders: This works now with v3.2.5 by adding insecureSkipVerify: true to the sso object described here: https://argoproj.github.io/argo-workflows/argo-server-sso/

sso:
  insecureSkipVerify: true 
  ...

Big thank you from my side - argo is really an awesome project!

this parameter is not working in 3.4.2

Is there any new parameter replace it ? I also found that not worked.