argo-workflows: malformed Dex configuration found - Workflows & ArgoCD authentication
Summary
Configuring Argo-Workflows with Argo-CD(Dex) for authentication. Getting malformed Dex configuration found
I expect it to not be malformed as I am following the docs here -> https://argoproj.github.io/argo-workflows/argo-server-sso-argocd/#example-helm-chart-configuration-for-authenticating-against-argocds-dex
Diagnostics
What Kubernetes provider are you using? Using helm charts to deploy both workflows and cd. Running on GKE v 1.19
What version of Argo Workflows are you running?
latest
What executor are you running? Docker/K8SAPI/Kubelet/PNS/Emissary
Docker
I believe is the default
Did this work in a previous version? I.e. is it a regression? First time setting it up.
Logs from dex server:
kubectl logs -f argo-cd-argocd-dex-server-5cdd486f58-bhjtq
time="2021-06-30T19:23:21Z" level=info msg="Starting configmap/secret informers"
time="2021-06-30T19:23:21Z" level=info msg="Configmap/secret informer synced"
time="2021-06-30T19:23:21Z" level=info msg="0xc000876360 subscribed to settings updates"
time="2021-06-30T19:23:21Z" level=fatal msg="malformed Dex configuration found"
helm argo-cd values
dex:
image:
tag: v2.27.0
env:
- name: ARGO_WORKFLOWS_SSO_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: argo-workflows-sso
key: client-secret
server:
config:
dex.config: |
staticClients:
- id: argo-workflows-sso
name: Argo Workflow
redirectURIs:
- https://argo-workflows.domain/oauth2/callback
secretEnv: ARGO_WORKFLOWS_SSO_CLIENT_SECRET
image:
tag: v2.0.4
ingress:
enabled: true
annotations:
certmanager.k8s.io/cluster-issuer: letsencrypt
kubernetes.io/ingress.class: nginx-internal
labels: {}
ingressClassName: "nginx-internal"
helm argo-workflows values
workflow:
namespace: argo-cd
server:
extraArgs:
- --auth-mode=sso
sso:
issuer: https://argo-cd.domain/api/dex
# sessionExpiry defines how long your login is valid for in hours. (optional, default: 10h)
sessionExpiry: 240h
clientId:
name: argo-workflows-sso
key: client-id
clientSecret:
name: argo-workflows-sso
key: client-secret
redirectUrl: https://argo-workflows.domain/oauth2/callback
Message from the maintainers:
Impacted by this bug? Give it a 👍. We prioritise the issues with the most 👍.
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Reactions: 3
- Comments: 20 (10 by maintainers)
@sidh Thank you very much for your input. Finally it worked. Just to let everyone else know in descriptive manner. In following code where it says
id: argo-workflows-sso
it should be your actual client-id from OIDC provider. So let me rewrite the documentation part where we have this client id : Argo workflow secret :Following code should be
Thats where documentation sucks as they are using argo-workflows-sso as a client-id too
@jrowinski3d Thank you very much for your input. Just figured it out before you posted. But really appreciate your help
Also DEX documentation helped it to understand :
https://dexidp.io/docs/using-dex/
https://dexidp.io/docs/using-dex/#:~:text=of the client.-,ClientID,-%3A "example-app"%2C ClientSecret
Hey @tiwarisanjay , my main problem was I didn’t have a
connector
setup in argo-cd dex configMap:I’m not working on that project anymore but maybe this CM setup will help you out.
Argo cd
Argo-Workflows
I’m trying to do something similar to this, I mistakenly didn’t have a connector configured either. Now that I have one configured things are up and running however when Argo Workflows tries to use the Argo CD dex to handle the login I just get an error saying:
Where
my-client-id
seems correct (it is the value from the Secret documented on https://argoproj.github.io/argo-workflows/argo-server-sso-argocd/#example-helm-chart-configuration-for-authenticating-against-argocds-dex)One thing I’m wondering is, should the client ID used for the argo workflows static client be the same as the client id used in the connector config? That is how we have it setup now (so using the same client-id in connector config and argo workflows static client). In our case we’re using microsoft connector