[bitnami/argo-cd] oidc authentication flow: NOAUTH Authentication required

[davgia]

Name and Version

bitnami/argocd 7.2.3

What architecture are you using?

amd64

What steps will reproduce the bug?

1. deploy bitnami/keycloak chart 22.2.1 (see values below)
2. create a new keycloak realm named "management"
3. configure the realm following the argocd documentation (https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/keycloak/)
4. create a new keycloak user
5. deploy bitnami/argocd chart 7.2.3 (see values below)
6. patch argocd-secret to include keycloak client id and secret:

oidc.keycloak.clientId: argo-cd
oidc.keycloak.clientSecret: "***"

7. try to log into argo-cd using Keycloak, argo-cd should redirect to keycloak, log using the credentials created previously. It should return to the argocd callback endpoint (auth/callback) and it should show an error instead of the argocd home

Notes

• I can successfully log into ArgoCD if I use the admin user
• I see the following error from argocd-repo-server pod:

{"error":"failed to list refs: NOAUTH Authentication required.","grpc.code":"Unknown","grpc.method":"GenerateManifest","grpc.service":"repository.RepoServerService","grpc.start_time":"2025-03-13T16:28:50Z","grpc.time_ms":0.455,"level":"error","msg":"finished unary call with code Unknown","span.kind":"server","system":"grpc","time":"2025-03-13T16:28:50Z"}
{"level":"error","msg":"Error attempting to retrieve git references from cache: NOAUTH Authentication required.","time":"2025-03-13T16:28:54Z"}

• see the following warning from argocd-server pod:

{"level":"warning","msg":"Failed to resync revoked tokens. retrying again in 1 minute: NOAUTH Authentication required.","time": "2025-03-13T16:30:36Z"}

• the same configuration works with: bitnami/keycloak 16.1.7, bitnami/argo-cd 5.1.17

Are you using any custom parameters or values?

Keycloak

# keycloak
ingress:
  enabled: true
  hostname: "keycloak.example.com" # change to whatever you want
  ingressClassName: "${ingress_class}" # change to whatever you want
  tls: true
  annotations:
    cert-manager.io/cluster-issuer: "${cluster_issuer}" # change to whatever you want
    nginx.ingress.kubernetes.io/proxy-buffer-size: 16k

ArgoCD

config:
  rbac:
    policy.default: "role:admin"
  secret:
    create: false # the secret is created by terraform so the external secret can inject oidc secrets before the helm chart is installed
server:
  url: "https://argocd.example.com"
  config:
    admin.enabled: 'false'
    oidc.config: |
      name: Keycloak
      issuer: "https://keycloak.example.com/realms/management" # change to whatever you want
      clientID: $oidc.keycloak.clientId
      clientSecret: $oidc.keycloak.clientSecret
      requestedScopes: ["openid", "profile", "email"]

What is the expected behavior?

I should be able to log into argo-cd using keycloak (it does work on previous versions, namely: )

What do you see instead?

Additional information

No response

[javsalgar]

Hi,

Could you describe in with what keycloak chart version this integration worked? Maybe something changed in newer Keycloak versions

[davgia]

Hi @javsalgar,

In another k8s cluster (same version 1.31.3) I have bitnami/argo-cd 5.1.17 and bitnami/keycloak 16.1.7. They are very old but they work. I can try to update and see if I have the same problem.

I see both on argocd-server and argocd-repo-server pod the same recurring error, i.e. NOAUTH Authentication required It seems to be related to redis but I don't understand why. Another difference is that I am managing the k8s secrets myself (with terraform) instead of letting the chart do it. But I have checked and the secret have the same structure.

[davgia]

I have updated argo-cd from 5.1.17 to 7.2.3 (and I haven't touched keycloak) and now I am starting to see the same problem:

NOAUTH Authentication required

Maybe it is something related to the use of password file instead of env var ?

[Gamote]

We experience the same thing with a freshly installed v7.2.3. Our values are:

fullnameOverride: argocd

applicationSet:
  enabled: true
  serviceAccount:
    automountServiceAccountToken: true

controller:
  resourcesPreset: small
  serviceAccount:
    create: true

repoServer:
  resourcesPreset: small

The error we get is:

Failed to load target state: failed to generate manifest for source 1 of 1: rpc error: code = Unknown desc = failed to list refs: NOAUTH Authentication required.

[Gamote]

We experience the same thing with a freshly installed v7.2.3. Our values are:

fullnameOverride: argocd

applicationSet:
  enabled: true
  serviceAccount:
    automountServiceAccountToken: true

controller:
  resourcesPreset: small
  serviceAccount:
    create: true

repoServer:
  resourcesPreset: small

The error we get is:

Failed to load target state: failed to generate manifest for source 1 of 1: rpc error: code = Unknown desc = failed to list refs: NOAUTH Authentication required.

After further investigations, I have discovered that my previous message is not related to the Bitnami chart.
The name of the app had invalid characters, so when it reached Redis it couldn't be used as a key for the cache manipulation.

[javsalgar]

Thanks for letting us know!

[davgia]

@javsalgar, I am sure I do no have invalid characters in my argocd application name (mine is: "alpha").

[davgia]

@javsalgar, I have found the problem. As I have guessed previously there is a problem with the usage of password files instead of environment variables. Disabling the usage of password files solves the problem.

usePasswordFiles: false

So it seems that argocd services are not configured to use redis password when it is passes via mounted file.

[javsalgar]

Thanks for letting us know! This PR should fix the issue #32477

[davgia]

@javsalgar, I have updated to bitnami/argo-cd 7.2.4 and I am still getting the same error.

[davgia]

Hi @javsalgar, should I open a new issue?

[javsalgar]

No need, I just reopened it

[davgia]

Is it clear the problem? I still get the same error after updating to 7.2.4. For now I've just set usePasswordFiles: false. The pod seem to ignore redis password if set via REDIS_PASSWORD_FILE for some reason. Are you sure that the container actually reads this environment variable? I cannot find any reference to this variable in the bitnami containers repository...

[davgia]

@javsalgar, any update?