Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ArgoCD CMP sub resource/repositiory credentials #16091

Open
ghost opened this issue Oct 24, 2023 · 6 comments
Open

ArgoCD CMP sub resource/repositiory credentials #16091

ghost opened this issue Oct 24, 2023 · 6 comments
Labels
component:cmp Config Management Plugin related issues enhancement New feature or request

Comments

@ghost
Copy link

ghost commented Oct 24, 2023
edited by ghost
Loading

Describe the bug

CMP plugins are the proposed way to extend ArgoCD chart rendering, and according to the documentation/proposal should push plugins forward to become a first-class citizen.
That may hold up for use cases where the argocd-repo-server can fetch all dependencies (maybe there are none though) and push the results down to the CMP to render.

But as soon as you must fetch additional resources from Git, OCI, Helm repos, there are no credentials available out of the box to fulfill this task, even though all needed credentials already exist in the ArgoCD repository configs.

This missing credential push down functionallity is blocking all use cases that need to fetch additional resources like.
e.g.:

Kustomize with kustomizations pointing to sub-Git repositories.
Helm umbrella charts where sub charts need to get loaded via dependency updates from OCI or other Helm registries.
...

There is a bunch of open issues all framing the same situation as

Just to list some of the more prominent ones.

This current behavior leads to many workarounds that require mapping arbitrary credentials into the CMP sidecar, and is blocking CMP adoption for all use cases where the argocd-repo-sever can't provide everything in one go. (when talking about non public dependencies, which is more or less default in an enterprise setup)

To Reproduce

apiVersion: v2
name: umbrella-chart
type: application
version: 0.9.0
dependencies:
  - name: sample-chart
    version: 0.1.0
    repository: oci://<WhateverSubChart>
  • Place the subchart in an OCI registry
  • Create a repository in ArgoCD for the private OCI registry homing the sub chart
  • Create an application using the plugin pointing to the Helm umbrella chart

Expected behavior

Using plugins should behave similar in functionality as using native Helm & Kustomize support in ArgoCD
That does not mean, that no additional effort is expected, like linking repositories of interest (within the application? project?) for credential pushdown candidates, or whatever solution would do the trick to not maintain the same credentials on different layers.

Version

quay.io/argoproj/argocd:v2.8.4

Logs

time="2023-10-24T09:35:59Z" level=info msg="finished streaming call with code OK" grpc.code=OK grpc.method=MatchRepository grpc.service=plugin.ConfigManagementPluginService grpc.start_time="2023-10-24T09:35:59Z" grpc.time_ms=4.83 span.kind=server system=grpc
time="2023-10-24T09:35:59Z" level=info msg="finished streaming call with code OK" grpc.code=OK grpc.method=MatchRepository grpc.service=plugin.ConfigManagementPluginService grpc.start_time="2023-10-24T09:35:59Z" grpc.time_ms=4.831 span.kind=server system=grpc
time="2023-10-24T09:35:59Z" level=info msg="Generating manifests with no request-level timeout"
time="2023-10-24T09:35:59Z" level=info msg="sh -c \"helm dependency build || true\"" dir=/tmp/_cmp_server/49b83398-ff26-459b-9090-104ccd9608b9/umbrella-chart execID=b0044
time="2023-10-24T09:35:59Z" level=info msg="finished streaming call with code OK" grpc.code=OK grpc.method=GetParametersAnnouncement grpc.service=plugin.ConfigManagementPluginService grpc.start_time="2023-10-24T09:35:59Z" grpc.time_ms=5.377 span.kind=server system=grpc
time="2023-10-24T09:36:00Z" level=debug msg="Saving 1 charts\nDownloading sample-chart from repo oci:/<removed url>/helm\nSave error occurred:  could not download oci://<removed url>/helm/sample-chart: failed to authorize: failed to fetch anonymous token: unexpected status: 403 Forbidden\n" duration=1.047357626s execID=b0044
time="2023-10-24T09:36:00Z" level=info msg="sh /var/run/argocd/helm-plugin/generate.sh" dir=/tmp/_cmp_server/49b83398-ff26-459b-9090-104ccd9608b9/umbrella-chart execID=6cf60
time="2023-10-24T09:36:00Z" level=debug duration=359.689583ms execID=6cf60
time="2023-10-24T09:36:00Z" level=error msg="`sh /var/run/argocd/helm-plugin/generate.sh` failed exit status 123: Error: An error occurred while checking for chart dependencies. You may need to run `helm dependency build` to fetch missing dependencies: found in Chart.yaml, but missing in charts/ directory: sample-chart" execID=6cf60
time="2023-10-24T09:36:00Z" level=error msg="finished streaming call with code Unknown" error="error generating manifests: `sh /var/run/argocd/helm-plugin/generate.sh` failed exit status 123: Error: An error occurred while checking for chart dependencies. You may need to run `helm dependency build` to fetch missing dependencies: found in Chart.yaml, but missing in charts/ directory: sample-chart" grpc.code=Unknown grpc.method=GenerateManifest grpc.service=plugin.ConfigManagementPluginService grpc.start_time="2023-10-24T09:35:59Z" grpc.time_ms=1412.54 span.kind=server system=grpc
@ghost ghost added the bug Something isn't working label Oct 24, 2023
@blakepettersson
Copy link
Member

Could potentially be solved with #15107

@ghost
Copy link
Author

ghost commented Oct 24, 2023

@blakepettersson, thx for linking!

If it is a more generic approach, not focusing on Git credentials only it may can be a solution (thinking of the OCI part which may needs another way of providing the creds)

@blakepettersson blakepettersson added enhancement New feature or request and removed bug Something isn't working labels Oct 25, 2023
@jmcshane
Copy link
Contributor

jmcshane commented Dec 1, 2023
edited
Loading

I appreciate the more generic approach that @FeltlP is taking to this problem, there's a challenge in identifying a valid credentials set that would be applicable to push to the sidecar. I'd love to discuss this as I've got the context from the work in #15107, feel free to reach out on the CNCF slack

@jmcshane
Copy link
Contributor

jmcshane commented Dec 4, 2023

One of the interesting things I just found is the difference between git.Creds (interface) and helm.Creds (struct) both in the nasty util package. There's also db.RepoCredsDB.

I wonder if it makes sense to have a higher level Creds interface that could be implemented by all secret-type: repository credentials that we could then use to pass across to CMP

@leoluz leoluz added the component:cmp Config Management Plugin related issues label Feb 28, 2024
@thesuperzapper thesuperzapper mentioned this issue Apr 27, 2024
Closed
3 tasks
@thesuperzapper
Copy link

I think most of the discussion around this issue is happening on #8820

@Xkynar
Copy link

Xkynar commented Nov 13, 2024
edited
Loading

@crenshaw-dev #8820 seems to have implemented a way to provide git credentials to CMPs, but I don't think it works for helm/oci credentials right?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component:cmp Config Management Plugin related issues enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@leoluz @blakepettersson @thesuperzapper @Xkynar @jmcshane