Fresh ArgoCD installation complain about certificate

[luylucas10]

I have deployed argocd in one kubernetes cluster.

Now I'm trying to connect argocd to my keycloak and gitlab instances, but they are in different domains, e.g.:

• argocd.example.org
• keycloak.test.org
• gitlab.test.org

All certificates are not self signed.

When I try to login with keycloak this error occurs:

Failed to query provider "https://keycloak.test.org/realms/realm": Get "https://keycloak.test.org/realms/realm/.well-known/openid-configuration": tls: failed to verify certificate: x509: certificate is valid for *.example.org not *.test.org as argo trying to validate keycloak/gitlab instance with its certificate. I have a nginx as reverse proxy in front of argocd doing the balancing and tls stuffs, so I configure argo without tls, running in the http port.

This is all script that I'd use to deploy argo:

kubectl --kubeconfig config-file create namespace argocd
kubectl --kubeconfig config-file config set-context --current --namespace=argocd
kubectl --kubeconfig config-file apply -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
git clone https://github.com/argoproj/argo-cd.git argo-cd
kubectl --kubeconfig config-file apply -k argo-cd/examples/k8s-rbac/argocd-server-applications
kubectl --kubeconfig config-file patch configmap -n argocd argocd-cmd-params-cm  --type merge -p '{"data": {"application.namespaces": "*", "server.insecure": "true"}}'
kubectl --kubeconfig config-file patch configmap -n argocd argocd-cm --type merge -p '{"data": {"resource.exclusions": "- apiGroups:\n  - tekton.dev\n  clusters:\n  - \"*\"\n  kinds:\n  - TaskRun\n  - PipelineRun"}}'
echo -n "credentials" | base64
kubectl --kubeconfig config-file patch secret argocd-secret -n argocd -p '{"data": {"oidc.keycloak.clientSecret": "base64-credentials"}}'
kubectl --kubeconfig config-file patch configmap -n argocd argocd-cm --type merge -p '{"data": {"url": "https://argocd.example.com", "oidc.config": "name: Keycloak\nissuer: https://keycloak.test.org/realms/realm\nclientID: client\nclientSecret: $oidc.keycloak.clientSecret\nrequestedScopes: [\"openid\", \"profile\", \"email\", \"groups\"]"}}'
kubectl --kubeconfig config-file patch configmap -n argocd argocd-rbac-cm --type merge -p '{"data": {"policy.csv": "g, argo-adm, role:admin"}}'
kubectl --kubeconfig config-file rollout restart -n argocd deployment argocd-server && kubectl --kubeconfig config-file rollout restart -n argocd statefulset argocd-application-controller

The ingress of it:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: argocd-server-ingress
  namespace: argocd
  annotations:
    nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
spec:
  ingressClassName: nginx
  rules:
  - host: argocd.example.com
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: argocd-server
            port: 
              name: http

What am I doing wrong?

[luylucas10]

Well, I resolved that. It's not specific problem with argo, but with certificates itself.
I add the gitlab.test.org to the example.org nginx and in argo I used gitlab.example.org, that way the certificates are the same but nginx redirect to the existent instance.
Well the question is: but what happens when we use github or another domain with on-premisse infra with our certificate? Why that way works? Well, I don't know hahahaha.