Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

'insecureSkipVerify: true' not work to skip CA validation when sso auth mode #10089

Closed
3 tasks done
neo502721 opened this issue Nov 22, 2022 · 0 comments · Fixed by #10090
Closed
3 tasks done

'insecureSkipVerify: true' not work to skip CA validation when sso auth mode #10089

neo502721 opened this issue Nov 22, 2022 · 0 comments · Fixed by #10090
Labels
type/bug

Comments

@neo502721
Copy link
Contributor

Pre-requisites

  • I have double-checked my configuration
  • I can confirm the issues exists when I tested with :latest
  • I'd like to contribute the fix myself (see contributing guide)

What happened/what you expected to happen?

http client with TLSConfig to allow skipping of CA validation if InsecureSkipVerify is set

argo-workflows/server/auth/sso/sso.go

Lines 111 to 113 in ab09448

// Create http client with TLSConfig to allow skipping of CA validation if InsecureSkipVerify is set.
httpClient := &http.Client{Transport: &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: c.InsecureSkipVerify}}}
oidcContext := oidc.ClientContext(ctx, httpClient)

but the *http.Client was covered with empty in the providerFactoryOIDC:

argo-workflows/server/auth/sso/sso.go

Lines 81 to 84 in ab09448

func providerFactoryOIDC(ctx context.Context, issuer string) (providerInterface, error) {
oidcCtx := oidc.ClientContext(ctx, &http.Client{})
return oidc.NewProvider(oidcCtx, issuer)
}

Version

release-3.4 or latest

Paste a small workflow that reproduces the issue. We must be able to run the workflow; don't enter a workflows that uses private images.

root@sk-rtls-dev-0024 ~]# kubectl get cm workflow-controller-configmap -n argo -o yaml
apiVersion: v1
data:
  sso: |
    issuer: https://argocd-server.argocd.svc.cluster.local/api/dex
    # issuer: https://10.0.71.94:30259/api/dex
    clientId:
      name: argo-workflows-sso
      key: client-id
    clientSecret:
      name: argo-workflows-sso
      key: client-secret
    redirectUrl: https://10.0.71.94:31127/oauth2/callback
    insecureSkipVerify: true
kind: ConfigMap
metadata:
  creationTimestamp: "2022-11-10T05:34:07Z"
  name: workflow-controller-configmap
  namespace: argo
  resourceVersion: "1909378"
  uid: b30a1c6e-e5a2-4dc1-ab54-0cb1d5e4f177

Logs from the workflow controller

[root@sk-rtls-dev-0024 ~]# kubectl logs -f -nargo           argo-server-64df9549c6-5kpnm
time="2022-11-22T02:28:47.574Z" level=info msg="not enabling pprof debug endpoints"
time="2022-11-22T02:28:47.575Z" level=info authModes="[sso]" baseHRef=/ managedNamespace= namespace=argo secure=true ssoNamespace=argo
time="2022-11-22T02:28:47.575Z" level=info msg="Generating Self Signed TLS Certificates for Secure Mode"
Error: Get "https://argocd-server.argocd.svc.cluster.local/api/dex/.well-known/openid-configuration": x509: certificate signed by unknown authority

Logs from in your workflow's wait container

none
@neo502721 neo502721 mentioned this issue Nov 22, 2022
Merged
8 tasks
neo502721 added a commit to neo502721/argo-workflows that referenced this issue Nov 25, 2022
@neo502721
fix: SSO insecureSkipVerify not work. Fixes argoproj#10089
5edcd9f 
Signed-off-by: neo502721 <zgmhdu@163.com>
sarabala1979 pushed a commit that referenced this issue Nov 28, 2022
@neo502721
fix: SSO insecureSkipVerify not work. Fixes #10089 (#10090)
eb2c54b 
Signed-off-by: neo502721 <zgmhdu@163.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: SSO insecureSkipVerify not work. Fixes #10089 neo502721/argo-workflows
1 participant
@neo502721