Keycloak integration fails with the error "x509: certificate signed by unknown authority"

[yogendramummaneni]

Describe the bug

Hi Everyone,
I am trying to integrate Argo-workflow with Keycloak. I am using this repo https://github.com/argoproj/argo-helm/tree/main/charts/argo-workflows.
The pod argo-keyclock-argo-workflows-server is failing with this error

Get "https://keycloak.test.com/auth/realms/argocd/.well-known/openid-configuration": x509: certificate signed by unknown authority
Error: Get "https://keycloak.test.com/auth/realms/argocd/.well-known/openid-configuration": x509: certificate signed by unknown authority

I couldn't find any option in the helm chart's values.yaml file to pass the custom root cert.
But there is an option in argo command to pass the custom certs "--certificate-authority string Path to a cert file for the certificate authority" (edited)

What is the equivalent helm option to --certificate-authority?

Thanks Inadvance,
Yogendra.

Related helm chart

argo-workflows

Helm chart version

0.16.7

To Reproduce

Try to integrate the argo workflow with keycloak

Expected behavior

Argo should be able to talk to keycloak

Screenshots

No response

Additional context

No response

[vladlosev]

Argo Workflows server has limited, unfinished support for serving TLS. In short, it only supports self-signed certificates right now. You will be better off fronting it with some sort TLS-terminating proxy.

[yogendramummaneni]

Thanks for the reply @vladlosev!
Thats what I am doing currently, we are having a nginx ingress controller which takes care of SSL termination. The below command is used to start the workflow

helm install --debug argo-keyclock argo/argo-workflows --set server.ingress.hosts[0]=argo.test.com --set server.ingress.ingressClassName=nginx --set server.serviceAccount.create=true --set server.ingress.enabled
=true --set server.secure=true --set server.serviceAccount.name="argo-server" -n argo --create-namespace

But here the problem is how to add the root CA of keycloak to the truststore of the argo workflow?
The option --certificate-authority is available with the argo command, but I couldn't find the equivalent option in helm values.yaml?

[vladlosev]

That is the client side option; it's not used by the server command.

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[srinivasmummareddy]

@yogendramummaneni Is this issue resolved?

[ngealy]

I'm having the same issue trying to pull an image from a self-hosted image repository.

I came up with a work-around using the initContainers solution described here argoproj/argo-cd#7572

Only difference was I used the extrainitContainers helm chart option and emptyDir{} volume type instead of an existing PVC.