feat: enable specifying root ca for oidc (argoproj#6712)

When configuring an external OIDC provider which uses a private PKI for its certificates it was not possible to properly verify the certificate being served. Also, when using ArgoCD in insecure mode, e.g. when running behind istio for providing mTLS, this resulted in errors. Signed-off-by: Clive Jevons <[email protected]>
fishman · Dec 20, 2021 · fcaa8ab · fcaa8ab
1 parent e32c070
commit fcaa8ab
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 4 deletions.
diff --git a/docs/operator-manual/user-management/index.md b/docs/operator-manual/user-management/index.md
@@ -373,6 +373,21 @@ You are not required to specify a logoutRedirectURL as this is automatically gen
 !!! note
  The post logout redirect URI may need to be whitelisted against your OIDC provider's client settings for ArgoCD.
 
+### Configuring a custom root CA certificate for communicating with the OIDC provider
+
+If your OIDC provider is setup with a certificate which is not signed by one of the well known certificate authorities
+you can provide a custom certificate which will be used in verifying the OIDC provider's TLS certificate when
+communicating with it. 
+Add a `rootCA` to your `oidc.config` which contains the PEM encoded root certificate:
+
+```yaml
+ oidc.config: |
+ ...
+ rootCA: |
+ -----BEGIN CERTIFICATE-----
+ ... encoded certificate data here ...
+ -----END CERTIFICATE-----
+```
 
 
 ## SSO Further Reading

diff --git a/util/oidc/oidc.go b/util/oidc/oidc.go
@@ -107,10 +107,7 @@ func NewClientApp(settings *settings.ArgoCDSettings, cache OIDCStateStorage, dex
  if err != nil {
  return nil, fmt.Errorf("parse redirect-uri: %v", err)
  }
- tlsConfig := settings.TLSConfig()
- if tlsConfig != nil {
- tlsConfig.InsecureSkipVerify = true
- }
+ tlsConfig := settings.OIDCTLSConfig()
  a.client = &http.Client{
  Transport: &http.Transport{
  TLSClientConfig: tlsConfig,

diff --git a/util/settings/settings.go b/util/settings/settings.go
@@ -121,6 +121,7 @@ type OIDCConfig struct {
  RequestedScopes []string `json:"requestedScopes,omitempty"`
  RequestedIDTokenClaims map[string]*oidc.Claim `json:"requestedIDTokenClaims,omitempty"`
  LogoutURL string `json:"logoutURL,omitempty"`
+ RootCA string `json:"rootCA,omitempty"`
 }
 
 // DEPRECATED. Helm repository credentials are now managed using RepoCredentials
@@ -1530,6 +1531,27 @@ func (a *ArgoCDSettings) OAuth2ClientSecret() string {
  return ""
 }
 
+func (a *ArgoCDSettings) OIDCTLSConfig() *tls.Config {
+ if oidcConfig := a.OIDCConfig(); oidcConfig != nil {
+ if oidcConfig.RootCA != "" {
+ certPool := x509.NewCertPool()
+ ok := certPool.AppendCertsFromPEM([]byte(oidcConfig.RootCA))
+ if !ok {
+ log.Warn("invalid oidc root ca cert - returning default tls.Config instead")
+ return &tls.Config{}
+ }
+ return &tls.Config{
+ RootCAs: certPool,
+ }
+ }
+ }
+ tlsConfig := a.TLSConfig()
+ if tlsConfig != nil {
+ tlsConfig.InsecureSkipVerify = true
+ }
+ return tlsConfig
+}
+
 func appendURLPath(inputURL string, inputPath string) (string, error) {
  u, err := url.Parse(inputURL)
  if err != nil {