fix: rewrite Host header in dex reverse proxy

[okhaliavka]

Fixes #3975

In Istio, HTTP traffic is routed to a cluster based on Host header. Dex reverse proxy does not rewrite Host header, so traffic does not get routed to argocd-dex-server cluster and no cluster-level configuration (e.g. mTLS) is applied. Because of this, request to dex-server fails in environments where strict mTLS is enabled or where outbound traffic policy is set to REGISTRY_ONLY.

Signed-off-by: Alexey Khalyavka [email protected]

Note on DCO:

If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the Details link next to the DCO action for instructions on how to resolve this.

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• Optional. My organization is added to USERS.md.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).

[jannfis]

LGTM, thank you @akhalyavka !

[alexef]

I'm still seeing the issue in ArgoCD 2.4.11. Was this fix released?

[thuandt]

@alexef me too. I'm still seeing this issue on ArgoCD v2.4.14

[hSATAC]

+1 to this.
According to the commit tags, this was released since v2.1.0
But we're still having this on v2.3.7

[rajshivage]

v2.1.0

I'm still seeing this issue in v2.4.12

[ankitcharolia]

I still face the issue in version 2.5.7
WORKAROUND: renaming svc/argocd-dex-server port name to TCP. It works fine.

[NadgobKhan]

@ankitcharolia Hello, I have the same issue (I actually have an Nginx load balancer that listens on port 80 and proxies the connection to https://localhost:8080, where argocd-server resides), but I don't know what exactly to rename. All three port of argocd-dex-server are TCP already. Could you help me please?

[AhmedMItman]

@NadgobKhan If you still waiting for the reply,
What @ankitcharolia means is,

You need to change the port name name from

 - name: http
    port: 5556
    protocol: TCP
    targetPort: http

to

 - name: tcp
    port: 5556
    protocol: TCP
    targetPort: http

This is in svc/argocd-dex-server

FYI: It is a workaround,

[AhmedMItman]

@akhalyavka I Think this ticket needs to be opened again, the issue still exists, please check the previous messages

Thanks in advance.

[mindovermiles262]

Seeing this issue still. Renaming the port to tcp worked but I think this still needs a fix
ArgoCD v2.6.7+5bcd846

[pre]

With STRICT Istio mTLS, the issue still persists and the workaround is to rename the dex service port to either https or tcp: https://github.com/argoproj/argo-cd/blob/v2.6.7/manifests/ha/install.yaml#L16450

Related:
#3975 (comment)

[okhaliavka]

Sorry for coming back to this so late. I must have screwed up my testing, it seems like there is at least one more place in the codebase where the header needs to be rewritten. I'll try to fix it next week.

[arnzchen]

Still seeing this issue in v2.8.0 after this #13500 was merged in