feat(sso): allow custom ca configuration

Author: bradfordwagner

config/sso.go

@@ -33,6 +33,10 @@ type SSOConfig struct {
 	InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
 	// FilterGroupsRegex filters groups using regular expressions
 	FilterGroupsRegex []string `json:"filterGroupsRegex,omitempty"`
+	// custom PEM encoded CA certificate file contents
+	RootCA string `json:"rootCA,omitempty"`
+	// custom CA certificate file name
+	RootCAFile string `json:"rootCAFile,omitempty"`
 }
 
 func (c SSOConfig) GetSessionExpiry() time.Duration {

docs/argo-server-sso.md

@@ -212,3 +212,50 @@ sso:
     - ".*argo-wf.*"
     - ".*argo-workflow.*"
 ```
+
+## Custom TLS Configuration
+
+> v3.8 and after
+
+You can configure custom TLS settings for OIDC provider connections. This is useful when your OIDC provider uses self-signed certificates or custom Certificate Authorities (CAs).
+
+### Custom CA Certificate
+
+You can specify a custom CA certificate in several ways:
+
+**Default system CA path** - If you mount CA certificates to `/etc/ssl/certs`, they will be automatically picked up by the system without needing to configure `rootCA` or `rootCAFile`:
+
+**Explicit configuration** - You can also explicitly specify custom CA certificates:
+
+1. **Inline PEM content** - Provide the CA certificate content directly in the configuration:
+
+```yaml
+sso:
+  # Custom PEM encoded CA certificate file contents
+  rootCA: |-
+    -----BEGIN CERTIFICATE-----
+    MIIDXTCCAkWgAwIBAgIJAKoK/heBjcOuMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
+    ...
+    -----END CERTIFICATE-----
+```
+
+2. **File path** - Reference a CA certificate file mounted in the container:
+
+```yaml
+sso:
+  # Custom CA certificate file name
+  rootCAFile: /etc/ssl/certs/custom-ca.pem
+```
+
+### Skip TLS Verification
+
+For development or testing environments, you can disable TLS certificate verification:
+
+```yaml
+sso:
+  # Skip TLS certificate verification (not recommended for production)
+  insecureSkipVerify: true
+```
+
+!!! Warning
+Using `insecureSkipVerify: true` disables TLS certificate verification and should only be used in development environments. For production, always use proper CA certificates.

docs/workflow-controller-configmap.md

@@ -298,6 +298,8 @@ SSOConfig contains single sign-on configuration settings
 | `UserInfoPath`         | `string`                                                                                                                    | UserInfoPath specifies the path to user info endpoint              |
 | `InsecureSkipVerify`   | `bool`                                                                                                                      | InsecureSkipVerify skips TLS certificate verification              |
 | `FilterGroupsRegex`    | `Array<string>`                                                                                                             | FilterGroupsRegex filters groups using regular expressions         |
+| `RootCA`               | `string`                                                                                                                    | custom PEM encoded CA certificate file contents                    |
+| `RootCAFile`           | `string`                                                                                                                    | custom CA certificate file name                                    |
 
 ## RBACConfig
 

docs/workflow-controller-configmap.yaml

@@ -458,6 +458,12 @@ data:
       enabled: false
     # Skip TLS verify, not recommended in production environments. Useful for testing purposes. >= v3.2.4
     insecureSkipVerify: false
+    # Custom PEM encoded CA certificate file contents. >= v3.8
+    # Note: If CA certificates are mounted to /etc/ssl/certs, this config is not needed.
+    rootCA: ""
+    # Custom CA certificate file name. >= v3.8
+    # Note: If CA certificates are mounted to /etc/ssl/certs, this config is not needed.
+    rootCAFile: ""
 
   # workflowRestrictions restricts the Workflows that the controller will process.
   # Current options:

server/auth/sso/clients.go

@@ -0,0 +1,86 @@
+package sso
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"net/http"
+	"os"
+)
+
+type HTTPClientConfig struct {
+	InsecureSkipVerify bool
+	RootCA             string
+	RootCAFile         string
+}
+
+func (c HTTPClientConfig) String() string {
+	rootCALen := len(c.RootCA)
+	rootCAPreview := ""
+	if rootCALen > 0 {
+		if rootCALen > 50 {
+			rootCAPreview = c.RootCA[:50] + "..."
+		} else {
+			rootCAPreview = c.RootCA
+		}
+	}
+
+	return fmt.Sprintf("HTTPClientConfig{InsecureSkipVerify: %t, RootCA: %q (%d bytes), RootCAFile: %q}",
+		c.InsecureSkipVerify, rootCAPreview, rootCALen, c.RootCAFile)
+}
+
+func createHTTPClient(config HTTPClientConfig) (*http.Client, error) {
+
+	// Start with a copy of the default client
+	httpClient := *http.DefaultClient
+
+	// If no custom TLS configuration is needed, return the default client copy
+	if !config.InsecureSkipVerify && config.RootCA == "" && config.RootCAFile == "" {
+		return &httpClient, nil
+	}
+
+	// Clone the default transport and cast to *http.Transport
+	defaultTransport := http.DefaultTransport.(*http.Transport)
+	transport := defaultTransport.Clone()
+
+	// Configure TLS settings
+	tlsConfig := &tls.Config{
+		InsecureSkipVerify: config.InsecureSkipVerify,
+	}
+
+	// Set RootCAs if provided
+	// Load root CA certificates from both string and file if defined
+	if config.RootCA != "" || config.RootCAFile != "" {
+
+		rootCAs := x509.NewCertPool()
+
+		// Add certificates from PEM string if provided
+		if config.RootCA != "" {
+			if ok := rootCAs.AppendCertsFromPEM([]byte(config.RootCA)); !ok {
+				return nil, fmt.Errorf("failed to append certificates from PEM string")
+			}
+		}
+
+		// Add certificates from file if provided
+		if config.RootCAFile != "" {
+			rootCAFile, err := os.ReadFile(config.RootCAFile)
+			if err != nil {
+				return nil, fmt.Errorf("failed to read CA certificate file: %w", err)
+			}
+
+			if ok := rootCAs.AppendCertsFromPEM(rootCAFile); !ok {
+				return nil, fmt.Errorf("failed to append CA certificate from file")
+			}
+		}
+
+		tlsConfig.RootCAs = rootCAs
+	}
+
+	// Apply the custom TLS config to the cloned transport
+	transport.TLSClientConfig = tlsConfig
+
+	// Use the modified transport in our client copy
+	httpClient.Transport = transport
+
+	return &httpClient, nil
+}