Repository credentials templates and Helm dependency #11717
Comments
|
Are the Helm dependencies OCI charts? If so, a fix (#11327) was added since 2.5.5. |
Thanks @blakepettersson for the reply but no, the Helm dependency uses HTTP. |
No, that shouldn't be necessary, that should work. It's possible that you might be bumping into the same issue I bumped into in #10218. |
|
I'm also affected by this issue. I can use OCI repository directly without any issues. But if OCI chart is declared as a subchart, it unfortunately doesn't work. |
|
So, I managed to take a look and debug this issue and finally got it working. Here is my secret with credentials template: Here is my helm chart definition with dependency in OCI repository: However, what was most surprising to me was that helm repo credentials are treated the same as git repo credentials. So they must be placed as an allowed source in the project where your application is located (screenshot attached). Without this, helm repo credentials will be cut in this function and will never be passed to
This is very counterintuitive, because in the project configuration, the @blakepettersson please let me know if it is a bug or it is by design. If it is a bug, I can open a PR. |
|
@jacek-jablonski thanks for taking the time to write the post, but I'm having this problem with http and adding it in the source repository doesn't work. |
|
I'm also affected by #7104, but I haven't investigated the reasons for this yet. |
|
We have the same issue and are not able to fix this.
We use a sub helm chart and with a Chart.yaml type: application dependencies:
The error message is always the same when we try to deploy the app:
Any ideas how this can be fixed? |
Hey @jacek-jablonski this one totally slipped through the cracks. This is by design, but it is not very intuitive. I have a WIP PR which should hopefully make this more visible when this happens, see #12255. |
|
xposting this workaround: #12436 (comment) |
|
Just a heads up to anyone who may be having this issue as well, there was a breaking behavior change in argocd, don't know exact versions. Previously a chart referencing a oci helm depedency like apiVersion: v2
name: helm-name
type: application
version: 0.0.0
dependencies:
- name: char-name
version: "chart-varion"
repository: 'oci://<account>.dkr.ecr.us-east-1.amazonaws.com/<sub-path>'apiVersion: v1
kind: Secret
metadata:
name: $secretName
namespace: $ns
labels:
argocd.argoproj.io/secret-type: repository
stringData:
url: "<account>.dkr.ecr.us-east-1.amazonaws.com" # NO LONGER WORKS FOR DEPENDENCIES!! Used to work for direct chart reference AND dependencies
url: "<account>.dkr.ecr.us-east-1.amazonaws.com/<sub-path>" # Required now for OCI chart dependencies
name: ecr
type: helm
enableOCI: "true"
username: AWS
password: "<password> |
|
Thank's @plaisted. It worked in v2.7.4 and before for a very long time. |
|
Isn't this the issue that was fixed in #14699 (and hence in >= 2.7.10)? |
|
Just tried it with the latest helm chart 5.43.3 and v2.8.0+804d4b8 of argo-cd and it is not working with parts of the repository. |
|
We updated from v2.7.4 to v2.7.8 and saw the issue. We have automation that syncs our ECR creds to cluster so wasn't a huge effort to add the sub-repos (note you don't need one for each chart, just each prefix if you are using them). We did deploy v2.8.0 in one cluster and didn't see issues so think it may be resolved but will dig in a little more to verify since @lhaussknecht is saying it is not working. |
|
Just tried again with v2.8.4 and it is still a problem. I also tried to use sub-paths in our secrets and we still get "unexpected status from HEAD request" with 401 Unauthorized. |
|
Also have the same issue on v2.8.4, it seems a bit random though, but mostly not working |
|
Hi guys, I have a similar issue using the credential template on v2.4. But I found a workaround for my case. Only the applications in the AppProject that contain specific sourceRepos can't work with the credential template. If I set the sourceRepos to |
|
I finally found some energy to experiment with a more recent Argo CD version: v2.11.4 in Helm chart 7.3.4. If anyone wants the credentials let me know. Assets: Unified credential template without specifying the projectSeparated credential templates without specifying the projectArgoProject that allows all repositoriesArgoProject with allowlistHelm chart with subchart (in https://gitlab.com/argocd-helm-11717/test)'open' app with open project'closed' app with closed projectfix-credentialsSome resulting combinations:
@blakepettersson does this clarify the issue? Or is it an undocumented "feature"? Version{
"Version": "v2.11.4+e1284e1",
"BuildDate": "2024-07-02T19:17:02Z",
"GitCommit": "e1284e19e03c9abab2ea55314b14b1e0381c4045",
"GitTreeState": "clean",
"GoVersion": "go1.21.10",
"Compiler": "gc",
"Platform": "linux/amd64",
"KustomizeVersion": "v5.2.1 2023-10-19T20:13:51Z",
"HelmVersion": "v3.14.4+g81c902a",
"KubectlVersion": "v0.26.11",
"JsonnetVersion": "v0.20.0"
} |
Checklist:
argocd version.Describe the bug
Given a private Helm chart repository, an application Helm chart with a dependency (subchart) to the private repository.
The repository credentials templates don't work while the normal credentials work correctly.
Expected behavior
The repository credentials should also work for the Helm dependencies (recursively).
Edit
On second thought I think it's the problem is that I'm using repository credential templates without creating the repository resources in argocd. Is this the wrong approach? It works if there are no Helm dependencies.
Version
{ "Version": "v2.5.2+148d8da", "BuildDate": "2022-11-07T16:42:47Z", "GitCommit": "148d8da7a996f6c9f4d102fdd8e688c2ff3fd8c7", "GitTreeState": "clean", "GoVersion": "go1.18.8", "Compiler": "gc", "Platform": "linux/amd64", "KustomizeVersion": "v4.5.7 2022-08-02T16:35:54Z", "HelmVersion": "v3.10.1+g9f88ccb", "KubectlVersion": "v0.24.2", "JsonnetVersion": "v0.18.0" }The text was updated successfully, but these errors were encountered: