Argo-cd: Secret substitution in OIDC config may not work.

Created on 27 Nov 2019 · 6Comments · Source: argoproj/argo-cd

Checklist:

[ ] I've searched in the docs and FAQ for my answer: http://bit.ly/argocd-faq.
[ ] I've included steps to reproduce the bug.
[ ] I've pasted the output of argocd version.

Describe the bug

Secret substitution in OIDC may not work.

To Reproduce

A list of the steps required to reproduce the issue. Best of all, give us the URL to a repository that exhibits this issue.

Expected behavior

Expect to be able to configure OIDC using secrets as per https://github.com/argoproj/argo-cd/blob/6cbc43e2ae940a6c4a274198ca3db46b93f953d9/docs/operator-manual/sso/index.md.

Version

TBD

Logs

Hi there. I'm trying to configure external oidc provider right now and was going to use secret reference feature like the docs mentions: clientSecret: $oidc.client.secret
The thing is it's not working. If I pass secret directly in configmap than it's okay but not the reference. What could be missing? I have oidc.client.secret key in argocd-secret and it's correct one. (edited)

bug

Source

alexec

All 6 comments

We try to configure OIDC integrations against Keycloak and followed the recommendation within the docs to store the secret within the argocd-secret.

Any values which start with '$' will look to a key in argocd-secret of the same name (minus the $), to obtain the actual value. This allows you to store the clientSecret as a kubernetes secret.

https://argoproj.github.io/argo-cd/operator-manual/sso/

The argocd-cm looks like this:

apiVersion: v1
data:
  oidc.config: |
    name: keycloak
    issuer: https://login.my-keycloak/auth/realms/someRealm
    clientID: svc-argocd
    clientSecret: $oidc.client.secret
    requestedScopes: ["openid", "profile", "email", "groups"]
  users.anonymous.enabled: "false"
kind: ConfigMap
  labels:
    app.kubernetes.io/name: argocd-cm
    app.kubernetes.io/part-of: argocd
  name: argocd-cm
  namespace: argocd

We followed the documentation and stored the oidc.client.secret in the argocd-secret:

apiVersion: v1
data:
  admin.password: ...
  admin.passwordMtime: ...
  oidc.client.secret: ...
  server.secretkey: ...
  webhook.github.secret: ...
kind: Secret
metadata:
  labels:
    app.kubernetes.io/name: argocd-secret
    app.kubernetes.io/part-of: argocd
  name: argocd-secret
  namespace: argocd
type: Opaque

Values have been removed here, but we tripple checked and they are correct and all base64 encoded.

When we try to log-in via Keycloak the login screen is shown. Once we enter valid credentials it results in an error:

failed to get token: oauth2: cannot fetch token: 400 Bad Request
Response: {"error":"unauthorized_client","error_description":"Invalid client secret"}

The error is probably keycloak specific and not directly from Argo CD.

If we specify the clientSecret directly within the configmap then it works. So the assumption is that the variable substitution does not work correctly.

We also tried a different variable name without dots in e.g. just $clientSecret, but the result was the same.

ArgoCD version: v1.3.0

torstenwalter on 28 Nov 2019

👍1

OK. I've not been able to repro this using Okta either.

alexec on 28 Nov 2019

This issue can be closed!
After updating the source code, building my own image and printing the clientSecret I figured out that there was a newline '\n' at the end in the base64 encoded secret.

torstenwalter on 28 Nov 2019

@alexec Thanks a lot for your help!

torstenwalter on 28 Nov 2019

👍1

I'm still running into this issue with v1.6.1+159674e...