fix: OAuth2 callback with self-signed Root CA. Fixes #6793

[NextNiclas]

Signed-off-by: Niclas Schnickmann niclas.schnickmann@nextstep-services.de

Looks like #6961 did not fix #6793 completely as I missed to add an http.Client to the oauth Exchange call.

This one was tested on my staging cluster and works fine with Keycloak (internal CA/self-signed).

[codecov]

Codecov Report

Merging #6978 (90ae380) into master (6384e5f) will decrease coverage by 0.01%.
The diff coverage is 55.55%.

❗ Current head 90ae380 differs from pull request most recent head ba6d657. Consider uploading reports for the commit ba6d657 to get more accurate results

@@            Coverage Diff             @@
##           master    #6978      +/-   ##
==========================================
- Coverage   48.52%   48.50%   -0.02%     
==========================================
  Files         265      265              
  Lines       19272    19273       +1     
==========================================
- Hits         9352     9349       -3     
- Misses       8867     8868       +1     
- Partials     1053     1056       +3     

Impacted Files	Coverage Δ
server/auth/sso/sso.go	27.27% <55.55%> (+0.87%)	⬆️
cmd/argoexec/commands/emissary.go	50.35% <0.00%> (-1.44%)	⬇️
workflow/controller/workflowpod.go	73.89% <0.00%> (-0.52%)	⬇️
cmd/argo/commands/get.go	59.18% <0.00%> (+0.29%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6384e5f...ba6d657. Read the comment docs.

[alexec]

Please comment if your changes are in v3.2 and we need to backport this.

[NextNiclas]

Thanks for merging. If I get you correctly (just let me know if not) then no. The branch containing my changes was based on master branch and not release-3.2.

[thesuperzapper]

@NextNiclas @alexec I think we should also add a config to specify a custom root CA, (rather than encouraging users to blindly trust all certs).

Here is an example config:

apiVersion: v1
kind: ConfigMap
metadata:
  name: workflow-controller-configmap
  namespace: argo
data:
  sso: |
    ...
    ## `rootCaFile` is just an example name
    rootCaFile: "/etc/oauth2-proxy/certs/ca.crt"

[thesuperzapper]

I have raised issue #7198 based on my proposal in: #6978 (comment)