Support custom CA for Gitlab connector

[sll552]

Hi,

we want to connect dex (as part of https://github.com/argoproj/argo-cd/) to our internal gitlab instance using the gitlab connector. Everything works to the point where dex is trying to retrieve the token, which fails with

x509: certificate signed by unknown authority

The certificate of our Gitlab instance is signed by our companies CA, so it would be nice to be able to add CA certificates to the bundle used for validating the server cert.
I guess this could be done in the same way as for SAML with caData

[bonifaido]

That would be a nice addition I agree, in the meantime we had an alternate solution for this in the mailing list, see: https://groups.google.com/forum/#!topic/dex-dev/aaXIlrZzEqY

Github has a rootCA field, which is a file path, I'm not sure which is better (but I vote for the file). 🙂

[sll552]

Thanks for the workaround.

For this usecase (bundled and managed by argo-cd) it would be better to have the CA inside the ConfigMap, but I guess for everyone else a file would be better.
Unfortunately the argo guys weren't that fast with responding to my issue so I don't know if they will be trying to fix this on their side.

[jmccrumm]

Any updates on this?

[romankspb]

Ugly workaround, but working

argocd chart values.yaml

dex:
  enabled: true
  extraVolumeMounts:
    - mountPath: /etc/ssl/certs
      name: gitlab-ca

  extraVolumes:
    - name: gitlab-ca
      configMap:
        name: gitlab-ca

extraObjects:
 - apiVersion: v1
   data:
     gitlab.crt: |
       -----BEGIN CERTIFICATE-----

       -----END CERTIFICATE-----
   kind: ConfigMap
   metadata:
     creationTimestamp: null
     name: gitlab-ca
     namespace: argocd