argo-workflows: malformed Dex configuration found - Workflows & ArgoCD authentication

Summary

Configuring Argo-Workflows with Argo-CD(Dex) for authentication. Getting malformed Dex configuration found

I expect it to not be malformed as I am following the docs here -> https://argoproj.github.io/argo-workflows/argo-server-sso-argocd/#example-helm-chart-configuration-for-authenticating-against-argocds-dex

Diagnostics

What Kubernetes provider are you using? Using helm charts to deploy both workflows and cd. Running on GKE v 1.19

What version of Argo Workflows are you running? latest

What executor are you running? Docker/K8SAPI/Kubelet/PNS/Emissary Docker I believe is the default

Did this work in a previous version? I.e. is it a regression? First time setting it up.

Logs from dex server:

kubectl logs -f argo-cd-argocd-dex-server-5cdd486f58-bhjtq 
time="2021-06-30T19:23:21Z" level=info msg="Starting configmap/secret informers"
time="2021-06-30T19:23:21Z" level=info msg="Configmap/secret informer synced"
time="2021-06-30T19:23:21Z" level=info msg="0xc000876360 subscribed to settings updates"
time="2021-06-30T19:23:21Z" level=fatal msg="malformed Dex configuration found" 

helm argo-cd values

dex:
  image:
    tag: v2.27.0
  env:
    - name: ARGO_WORKFLOWS_SSO_CLIENT_SECRET
      valueFrom:
        secretKeyRef:
          name: argo-workflows-sso
          key: client-secret
server:
  config:
    dex.config: |
      staticClients:
      - id: argo-workflows-sso
        name: Argo Workflow
        redirectURIs:
          - https://argo-workflows.domain/oauth2/callback
        secretEnv: ARGO_WORKFLOWS_SSO_CLIENT_SECRET
  image:
    tag: v2.0.4
  ingress:
    enabled: true
    annotations:
      certmanager.k8s.io/cluster-issuer: letsencrypt
      kubernetes.io/ingress.class: nginx-internal
    labels: {}
    ingressClassName: "nginx-internal"

helm argo-workflows values

workflow:
  namespace: argo-cd

server:
  extraArgs:
    - --auth-mode=sso
  sso:
    issuer: https://argo-cd.domain/api/dex
    # sessionExpiry defines how long your login is valid for in hours. (optional, default: 10h)
    sessionExpiry: 240h
    clientId:
      name: argo-workflows-sso
      key: client-id
    clientSecret:
      name: argo-workflows-sso
      key: client-secret
    redirectUrl: https://argo-workflows.domain/oauth2/callback

Message from the maintainers:

Impacted by this bug? Give it a 👍. We prioritise the issues with the most 👍.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 3
  • Comments: 20 (10 by maintainers)

Most upvoted comments

@sidh Thank you very much for your input. Finally it worked. Just to let everyone else know in descriptive manner. In following code where it says id: argo-workflows-sso it should be your actual client-id from OIDC provider. So let me rewrite the documentation part where we have this client id : Argo workflow secret :

apiVersion: v1
kind: Secret
metadata:
  name: argo-workflows-sso
data:
  # client-id is 'my-client-id-1234-1234'
  client-id: bXktY2xpZW50LWlkLTEyMzQtMTIzNAo=
  # client-secret is 'my-client-secret-very-secret'
  client-secret: bXktY2xpZW50LXNlY3JldC12ZXJ5LXNlY3JldAo=

Following code should be

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
data:
  # Kustomize sees the value of dex.config as a single string instead of yaml. It will not merge
  # Dex settings, but instead it will replace the entire configuration with the settings below,
  # so add these to the existing config instead of setting them in a separate file
  dex.config: |
    # Setting staticClients allows ArgoWorkflows to use ArgoCD's Dex installation for authentication
    staticClients:
      - id: my-client-id-1234-1234
        name: Argo Workflow
        redirectURIs:
          - https://argo-workflows.mydomain.com/oauth2/callback
        secretEnv: ARGO_WORKFLOWS_SSO_CLIENT_SECRET

Thats where documentation sucks as they are using argo-workflows-sso as a client-id too

@jrowinski3d Thank you very much for your input. Just figured it out before you posted. But really appreciate your help

Also DEX documentation helped it to understand :

https://dexidp.io/docs/using-dex/

https://dexidp.io/docs/using-dex/#:~:text=of the client.-,ClientID,-%3A "example-app"%2C ClientSecret

Hey @tiwarisanjay , my main problem was I didn’t have a connector setup in argo-cd dex configMap:

I’m not working on that project anymore but maybe this CM setup will help you out.

Argo cd

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
data:
  # Kustomize sees the value of dex.config as a single string instead of yaml. It will not merge
  # Dex settings, but instead it will replace the entire configuration with the settings below,
  # so add these to the existing config instead of setting them in a separate file
  url: https://argocd.<redacted>
  dex.config: |
    logger:
      level: debug
      format: json
    connectors:
    - type: saml
      id: okta
      name: Okta
      config:
        ssoURL: https://<redacted>/sso/saml 
        # You need `caData` _OR_ `ca`, but not both.
        caData: |
        	<redacted>
        redirectURI: https://argocd.<redacted>/api/dex/callback
        usernameAttr: email
        emailAttr: email
        groupsAttr: group
    staticClients:
    - id: argo-workflows-sso
      name: Argo Workflow
      redirectURIs:
        - https://argo-workflows<redacted>/oauth2/callback
      secretEnv: ARGO_WORKFLOWS_SSO_CLIENT_SECRET
      

Argo-Workflows

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: workflow-controller-configmap
data:
  # SSO Configuration for the Argo server.
  # You must also start argo server with `--auth-mode sso`.
  # https://argoproj.github.io/argo-workflows/argo-server-auth-mode/
  sso: |
    # This is the root URL of the OIDC provider (required).
    issuer: https://argocd.<redacted>/api/dex
    # This is name of the secret and the key in it that contain OIDC client
    # ID issued to the application by the provider (required).
    clientId:
      name: argo-workflows-sso
      key: client-id
    # This is name of the secret and the key in it that contain OIDC client
    # secret issued to the application by the provider (required).
    clientSecret:
      name: argo-workflows-sso
      key: client-secret
    # This is the redirect URL supplied to the provider (required). It must
    # be in the form <argo-server-root-url>/oauth2/callback. It must be
    # browser-accessible.
    redirectUrl: https://argo-workflows.<redacted>/oauth2/callback

I’m trying to do something similar to this, I mistakenly didn’t have a connector configured either. Now that I have one configured things are up and running however when Argo Workflows tries to use the Argo CD dex to handle the login I just get an error saying:


Not Found

Invalid client_id ("my-client-id").

Where my-client-id seems correct (it is the value from the Secret documented on https://argoproj.github.io/argo-workflows/argo-server-sso-argocd/#example-helm-chart-configuration-for-authenticating-against-argocds-dex)

One thing I’m wondering is, should the client ID used for the argo workflows static client be the same as the client id used in the connector config? That is how we have it setup now (so using the same client-id in connector config and argo workflows static client). In our case we’re using microsoft connector