When configuring the vSphere Kubernetes Service's (VKS) Argo CD Operator to connect to the VMware Cloud Foundation (VCF) Identity Broker (IDB) with insecure: false (or when the insecure attribute is omitted), users encounter the following error during login to the Argo CD web service:

Failed to query provider "https://<OIDC_SERVER>/acs/t/CUSTOMER/": Get "https://<OIDC_SERVER>/acs/t/CUSTOMER/.well-known/openid-configuration": tls: failed to verify certificate: x509: certificate signed by unknown authority

The Argo CD server pod will show the same error:

kubectl logs -n argocd -l app.kubernetes.io/name=argocd-server -f

VKS Argo CD Operator versions 1.1 and earlier.

This issue occurs because the Argo CD server does not trust the Certificate Authority (CA) that signed the VCF IDB's TLS certificate. By default, the Argo CD server pod only trusts public CAs included in its base image. When insecure is set to false, Argo CD performs a strict TLS handshake and fails if the CA is not found in its trusted store.

This issue will be resolved in an upcoming release of the VKS Argo CD Operator.

• Install the VMware Argo CD Operator and an Argo CD Instance on a vSphere Namespace
• Argo CD Custom Resource Reference
• Argo CD Service API Reference