ArgoCD is not using helm repository credentials for Chart dependencies

[ib-ak]

If you are trying to resolve an environment-specific issue or have a one-off question about the edge case that does not require a feature then please consider asking a question in argocd slack channel.

Checklist:

• I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• I've included steps to reproduce the bug.
• I've pasted the output of argocd version.

Describe the bug

Password protected private helm repository throws an error when added as dependency to helm chart Chart.yaml file.

To Reproduce

1. Create a private helm repo.( GitHub Repo hacked to work as helm chart registry in my case)
2. Create a Secret in ArgoCD either with label

argocd.argoproj.io/secret-type: repo-creds

or

argocd.argoproj.io/secret-type: repository

and helm chart registry info

      url: "https://raw.githubusercontent.com/org/helm-charts/main/docs"
      name: "helm-charts"
      type: "helm"
      username: ""
      password: ""

3. Create an helm-type app with above helm chart dependency.

Expected behavior

ArgoCD Should be able to resolve helm chart dependencies using either repo-creds or repository secrets.

Screenshots

rpc error: code = Unknown desc = Manifest generation error (cached): `helm repo add raw.githubusercontent.com https://raw.githubusercontent.com/org/helm-charts/main/docs` failed exit status 1: Error: looks like "https://raw.githubusercontent.com/org/helm-charts/main/docs" is not a valid chart repository or cannot be reached: failed to fetch https://raw.githubusercontent.com/org/helm-charts/main/docs/index.yaml : 404 Not Found

Version

v2.1.1+aab9542

Logs

NA

[alexmt]

Hello @abhinavkhanna-sf,

Looks like https://raw.githubusercontent.com/org/helm-charts/main/docs is indeed a not valid helm repository. Argo CD expects index.yaml which is not there. Am I missing something?

[ib-ak]

@alexmt we dont specify index.yaml in the chart url

snippet from error above

failed to fetch https://raw.githubusercontent.com/org/helm-charts/main/docs/index.yaml : 404 Not Found

index.yaml was automatically added by helm commands.

It works without index.yaml in 2.0.5

[ib-ak]

You can get 404 Not Found back from GitHub when you are trying to access private GitHub Repos without credentials.
from the looks of it, helm repo add command is not using credentials to add the private repo.

[r0kas]

Same here. Rollbacked argocd 2.1 because of private repo access issue.
I could create the repository config through UI and it would register fine. I could see 200 in my private repo logs. But when chart generation time comes it looks like that these credentials are not used by argocd controller anymore.
Just in my case it was Forbidden 403.
Same config with 2.0.5 worked flawlessly.

[cesarmesones]

+1

[salanki]

+1

[moustafab]

In case anyone is running into this issue or is debugging the code to figure out what is wrong I found that when using any unconventional helm repo (i.e. using helm-git plugin or helm-gcs plugin to serve helm repos from non https or oci urls) IF you have a restriction on your projects for sourceRepos that does not include those urls this will not work. This is completely contrary to the typical helm repo type which doesn't have to be exempted in the ArgoProject. I got around this issue by putting a * in my sourceRepos for the project that wasn't working.

tested with v2.2.0+6da92a8

[TGuimbert]

I found a workaround that works for me, but may not be okay for everyone.
By creating a new helm repository in the same project as my application, I am able to use the credentials I provided. It didn't work without specifying a project in the repository definition and it didn't work with the default project.

I tested this in v2.2.0+6da92a8.

[chetan-rns]

I am unable to reproduce this issue in the latest version. Added a private helm chart as a dependency and the helm repo add command used the right credentials.

[cesarmesones]

Tested on latest 2.2.1 and still same issue. Our helm repo is unconventional, added as such:

        - name: application-test
          passwordSecret:
            key: password
            name: test-creds
          type: helm
          url: https://raw.githubusercontent.com/test/master/repo/
          usernameSecret:
            key: username
            name: test-creds

(works on our current version 2.0.5)

[steinarox]

@chetan-rns i can add a chart directly, but if i have a chart.yaml in a git repo that points to another private chart repo it wont work

note we are using azure acr as our registry. the new passCredentials argument dont fix it, still 401

[steinarox]

/link
#7858
#7969

[chetan-rns]

Maybe I'm missing something. Followed the below steps but couldn't reproduce the issue

1. Created a private helm repository(GitHub repo hacked as a helm repo)
2. Added this private repo as a dependency in Chart.yaml in a git repo https://github.com/chetan-rns/gitops-test/blob/main/helm/Chart.yaml#L28
3. Registered the private repository with Argo CD
4. Deployed the Application and Argo CD can fetch the manifests from the private dependency helm repo (according to the issue it shouldn't)

[steinarox]

@chetan-rns tried with argocd 2.2.2 but still same problem.
I could show you on a call if you want to.

I am unsure how i can debug this in our environment. but 2.0.5 works. 2.2.2 works only when adding helm chart directly not from git repo. We have multible private helm and git repos configured, could Argocd somehow mix creds? Could it be something with the new project scoping? none of the repo credentials i have created are project scoped, but the application is. i tried an application with the default project as well with no change.

[zwilling79]

Was facing the same issues when I've upgraded ArgoCD from v2.0.5 to v.2.1.8. But I was able to fix it (thanks to @moustafab comment above) if I had included the Helm repository (Artifactory) in the sourceRepos settings of the project which the application was bound to. Had also tested the following scenarios:

• Helm repository and credentials are configured via separate secrets that contain the labels argocd.argoproj.io/secret-type: repository resp. argocd.argoproj.io/secret-type: repo-creds
• Helm repository and credentials are configured in the argocd-cm configMap

Both scenarios are working fine.

[stephen-harris]

Broken for me in 2.2.3 (upgraded from 2.0.3). Our projects already have sourceRepos set to 0. Context is we are using GitHub to host a private subchart that's referenced in a private repository (also on GitHub)

[cesarmesones]

In case anyone is running into this issue or is debugging the code to figure out what is wrong I found that when using any unconventional helm repo (i.e. using helm-git plugin or helm-gcs plugin to serve helm repos from non https or oci urls) IF you have a restriction on your projects for sourceRepos that does not include those urls this will not work. This is completely contrary to the typical helm repo type which doesn't have to be exempted in the ArgoProject. I got around this issue by putting a * in my sourceRepos for the project that wasn't working.

tested with v2.2.0+6da92a8

Can confirm was able to resolve this issue by adding the asterisk for sourceRepos as mentioned- however, without restarting the redis cache pods and waiting a bit after, the change will not reflect and makes this hard to troubleshoot. Keep that in mind. Thanks for your help!

[steinarox]

This seems to work for us 🎉 with v2.2.5 . Although the performance of Argo has tanked. we are getting continuously unknown state for applications with "rpc error: code = Unknown desc = helm dependency build failed signal: killed and the log is spammed with helm repo add myrepo. Hard refresh fixes the unknown state temporarily

kind: Secret
apiVersion: v1
type: Opaque
metadata:
  name: repo-myacrrepositoryhelm
  labels:
    argocd.argoproj.io/secret-type: repository
data:
  enableOCI: false # disable OCI explicitly
  name: acrmyacrrepository
  type: helm
  url: https://acrmyacrrepository.azurecr.io/helm/v1/repo # Remove trailing slash
  password: complexpassword
  username: 1137a517-fb0a-42d2-8cd2-727fc6684c26

Link #7121

[steinarox]

Update: if you get problems with unknown status and rpc error: code = Unknown desc = helm dependency build failed signal: killed try setting --parallelismlimit to something <10

[tamademicheli]

Hello , this bug is quite blocking us to upgrade. we also had to rollback to a previous version.

Is there something we can do to help you fixing that soon? Thanks

[spacebuoy29]

Was facing the same issues when I've upgraded ArgoCD from v2.0.5 to v.2.1.8. But I was able to fix it (thanks to @moustafab comment above) if I had included the Helm repository (Artifactory) in the sourceRepos settings of the project which the application was bound to. Had also tested the following scenarios:

• Helm repository and credentials are configured via separate secrets that contain the labels argocd.argoproj.io/secret-type: repository resp. argocd.argoproj.io/secret-type: repo-creds
• Helm repository and credentials are configured in the argocd-cm configMap

Both scenarios are working fine.

can you share more details

[spacebuoy29]

Broken for me in 2.2.3 (upgraded from 2.0.3). Our projects already have sourceRepos set to 0. Context is we are using GitHub to host a private subchart that's referenced in a private repository (also on GitHub)

any update?

[nkkowa]

Managed to get it working on 2.2.5 using the fix by @TGuimbert, changing the scope of the credentials from global to the same project as the application. Not sure why globally scoped creds won't work. Adding the Helm repo to the allowed source repos for the project did not seem to have an impact.

[BdeHeij]

Verified bug is present in ArgoCD 2.3.1 and 2.3.3.
In combination with a custom helm provider (we combined sops + envsubst + helm) we mounted a /helm-working-dir/repositories.yaml for our customer plugin, and used TGuimbert's workaround by adding a credential template AND helm repository credentials on the default app. Weirdly enough this propagated to all the other apps.

I noticed a lot of remarks on #7858 after closing so this might impact more people.

[ixxeL2097]

This issue is a very big concern for me as well. I have the issue in the latest 2.3.x version (2.3.4) and also tried the Release Candidate of 2.4 version (2.4.0-rc5) and both version seems to have the issue.
Here are my files:
Repository secret file

apiVersion: v1
kind: Secret
metadata:
  annotations:
    managed-by: argocd.argoproj.io
  labels:
    argocd.argoproj.io/secret-type: repository
  name: repo-helm-repo
  namespace: argocd
type: Opaque
stringData:
  name: helm-repo
  password: password
  type: helm
  url: https://private-repo.fr/charts
  username: admin

My application file:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: helm-test
spec:
  destination:
    namespace: test
    server: 'https://kubernetes.default.svc'
  source:
    path: .
    repoURL: 'https://gitlab.com/chart-dependency.git'
    targetRevision: HEAD
  project: some-project

And this is my Chart.yaml located on my git repository referenced in my Application yaml:

apiVersion: v2
name: helm-test
version: 1.0.0
dependencies:
    - name: helm-test
      version: 1.0.0
      repository: https://private-repo.fr/charts

Without passCredentials:

Unable to create application: application spec for helm-test is invalid: InvalidSpecError: Unable to generate manifests in .: rpc error: code = Unknown desc = `helm repo add --username ****** --password ****** https:--private-repo.fr/charts https://private-repo.fr/charts` failed exit status 1: Error: repository name (https:--private-repo.fr/charts) already exists, please specify a different name

With passCredentials:

Unable to create application: application spec for helm-dep is invalid: InvalidSpecError: Unable to generate manifests in .: rpc error: code = Unknown desc = `helm dependency build` failed exit status 1: Error: could not download https://private-repo.fr:443/charts/helm-test-1.0.0.tgz: failed to fetch https://private-repo.fr:443/charts/helm-test-1.0.0.tgz : 401

I also tried setting my repository as an OCI one with the following settings for the repository :

stringData:
  enableOCI: "true"
  name: helm-repo
  password: password
  type: helm
  url: https://private-repo.fr/charts
  username: admin

and the passCredentials option for the app:

  source:
    path: .
    repoURL: 'https://gitlab.com/chart-dependency.git'
    targetRevision: HEAD
    helm:
      passCredentials: true

Using the URL with oci:// instead of https:// on my Chart.yaml but it always fail with 401 error.

 Unable to create application: application spec for helm-dep is invalid: InvalidSpecError: Unable to generate manifests in .: rpc error: code = Unknown desc = `helm dependency build` failed exit status 1: Error: could not download oci://private-repo.fr/charts/helm-test: failed to authorize: failed to fetch anonymous token: unexpected status: 401

Do you guys have any update on this issue ?

[jfmrm]

I also have the same issue using OCI repo from github, and adding the * on source repos for the project didn't solve. I'm using argo version 2.4.7

When I exec inside the repo-server pod and run helm registry login then pull the chart it starts working.

[oni-oni-oni-1]

adding the * on source

I have same issues, but not fixed mine.

[romosa]

I am having the same issue. Does anyone have a solution?

[Borisakov]

Same issue, any updates?

[AmitBenAmi]

I had the same issue on 2.1.
I decided to upgrade to 2.4.9 and it still happened.
I tried multiple things without any success.

Eventually, after going over the code, I noticed that the helm repositories for apps are only being permitted by sourceRepo in this line.

Eventually, I added the URL of the helm chart (for me, with / at the end) to the Project, and it worked.
I did see the sourceRepo change working in some comments but just didn't think it is related, up until I found this line.

Hope that helps

[manali14]

I have the same issue with v2.8.4
Any update?

[danmanners]

I'm also running into this on v2.8.4, but not all environments.

[sidineyc]

I have it working, currently on 2.7.10, do you guys have passCredentials as true ?

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: inf-thanos
  finalizers:
    - resources-finalizer.argocd.argoproj.io
spec:
  project: default
  sources:
    - repoURL: us-east1-docker.pkg.dev/xxx/helm-repo
      targetRevision: 12.8.3-xxx.2
      chart: inf-thanos
      helm:
        passCredentials: true
        skipCrds: true
        valueFiles:
        - $values/helm_vars/inf-thanos/main-1-us-east1-production/values.yaml
        - $values/helm_vars/inf-thanos/main-1-us-east1-production/secrets.yaml
    - repoURL: git@github.com:xxx/inf-helm.git
      targetRevision: HEAD
      ref: values
  destination:
    server: https://kubernetes.default.svc
    namespace: inf-thanos
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
      - PruneLast=true

[danmanners]

I have it working, currently on 2.7.10, do you guys have passCredentials as true ?

I've tried both. I can get it working with some repos but not others, even across multiple deployments of Argo in multiple clusters. Trying to figure out how to replicate it consistently before dumping too much more here 🙂

[Guitarkalle]

Has anyone gotten any real understanding what's going on here? And how to debug what the actual issue is?

I am on v2.8.4 and get 401 when the main application points to a git repo which has a helm chart containing a dependency pointing to a helm registry. The dependency chart gets 401, and that's even when plenty of other applications works using the same helm registry directly

[ghost]

I think we have the same issue using Argo CD version v2.8.4+c279299, deployed via the Helm chart version 5.46.8. I did multiple tests as follow, all using the same one private Git repo and the same one Helm repo, which is not a hacked GH repo:

1. Deploying from a packaged Helm chart works.
2. Deploying from a Git-hosted Helm chart works.
3. Deploying from a packaged umbrella chart works.
4. Deploying from a Git-hosted umbrella chart fails.

To me, 1 and 2 are proof that the connections to the private Git repo and to the private Helm repo are not otherwise at fault.

Just to be clear: what I refer to as an umbrella charts here is a Helm chart that declares a dependency on another chart in its Chart.yaml:

dependencies:
  - name: the-other-chart
    version: 1.2.3
    repository: http://example.com/the-private-helm-repo

In both 3 and 4, I made the umbrella chart depend in packaged Helm charts. I didn't test depending on a Git-hosted Helm chart.

The umbrella chart deployed in 3 is the same one as in 4. I just helm dependency update && helm package-d it.

I think 3 works just because helm package "inlines" the dependency charts inside the .TGZ archive's /charts folder.

4 fails with the following Sync Error log:

ComparisonError: Failed to load target state: failed to generate manifest for source 1 of 1: rpc error: code = Unknown desc = Manifest generation error (cached): helm dependency build failed exit status 1: Error: no repository definition for http://example.com/the-private-helm-repo. Please add the missing repos via 'helm repo add'

no repository definition makes no sense, especially after seeing 1 succeed.

I tried passCredentials: true, alas unsuccessfully.

I tried hosting the .TGZ of my dependency charts in a public Helm repository, it worked, which confirms the credentials for a private Helm repo are lost in the way.

A displeasing bug that seems to have been here for too long, now.

[ghost]

I have no Go knowledge, but it might come from helmTemplate()... Although it doesn't seem right, as the repo is added in DependencyBuild()...

[ghost]

Also observed with the newest version:

{
    "Version": "v2.9.3+6eba5be",
    "BuildDate": "2023-12-01T23:05:50Z",
    "GitCommit": "6eba5be864b7e031871ed7698f5233336dfe75c7",
    "GitTreeState": "clean",
    "GoVersion": "go1.21.3",
    "Compiler": "gc",
    "Platform": "linux/amd64",
    "KustomizeVersion": "v5.2.1 2023-10-19T20:13:51Z",
    "HelmVersion": "v3.13.2+g2a2fb3b",
    "KubectlVersion": "v0.24.2",
    "JsonnetVersion": "v0.20.0"
}

[PKatBK]

I think we have the same issue using Argo CD version v2.8.4+c279299, deployed via the Helm chart version 5.46.8. I did multiple tests as follow, all using the same one private Git repo and the same one Helm repo, which is not a hacked GH repo:

1. Deploying from a packaged Helm chart works.
2. Deploying from a Git-hosted Helm chart works.
3. Deploying from a packaged umbrella chart works.
4. Deploying from a Git-hosted umbrella chart fails.

To me, 1 and 2 are proof that the connections to the private Git repo and to the private Helm repo are not otherwise at fault.

Just to be clear: what I refer to as an umbrella charts here is a Helm chart that declares a dependency on another chart in its Chart.yaml:

dependencies:
  - name: the-other-chart
    version: 1.2.3
    repository: http://example.com/the-private-helm-repo

In both 3 and 4, I made the umbrella chart depend in packaged Helm charts. I didn't test depending on a Git-hosted Helm chart.

The umbrella chart deployed in 3 is the same one as in 4. I just helm dependency update && helm package-d it.

I think 3 works just because helm package "inlines" the dependency charts inside the .TGZ archive's /charts folder.

4 fails with the following Sync Error log:

ComparisonError: Failed to load target state: failed to generate manifest for source 1 of 1: rpc error: code = Unknown desc = Manifest generation error (cached): helm dependency build failed exit status 1: Error: no repository definition for http://example.com/the-private-helm-repo. Please add the missing repos via 'helm repo add'

no repository definition makes no sense, especially after seeing 1 succeed.

I tried passCredentials: true, alas unsuccessfully.

I tried hosting the .TGZ of my dependency charts in a public Helm repository, it worked, which confirms the credentials for a private Helm repo are lost in the way.

A displeasing bug that seems to have been here for too long, now.

Hi All,

I am running into the same issues. After a lot of struggeling, my solution for a git hosted helm umbrella chart is to run on the git side of the umbrella chat "helm dep update" (or build, whatever you need) and push the /charts directory into git.
I know, this does not solve the main issue, but it is at least a workaround.

greetz

[ghost]

A workaround that doesn't require pushing TGZ dumps to Git is to use my own Config Management Plugin, with blackjack and hookers. The plugin adds the repos from the Kubernetes secrets and helm dependency build-s.

plugin.yaml:

apiVersion: v1
kind: ConfigMap
metadata:
  name: gh-7104-workaround-plugin
  namespace: argo
data:

  plugin.yaml: |-
    apiVersion: argoproj.io/v1alpha1
    kind: ConfigManagementPlugin
    metadata:
      name: gh-7104-workaround-plugin
    spec:
      init:
        command:
          - sh
          - -c
        args:
          - helm-dependency-build # See below...
      generate:
        command:
          - sh
          - -c
          - helm template "${PARAM_HELM_RELEASE_NAME:-$ARGOCD_APP_NAME}" "." --namespace "$ARGOCD_APP_NAMESPACE" --include-crds

  helm-dependency-build.sh: |-
    set -e

    NAMESPACE="$(cat "/var/run/secrets/kubernetes.io/serviceaccount/namespace")"
    TOKEN="$(cat "/var/run/secrets/kubernetes.io/serviceaccount/token")"
    CACERT="/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"

    # CURL to get the secrets annotated with argocd.argoproj.io/secret-type=repository,
    # JQ to keep only the Helm repositories, I don't care about the Git repos here,
    # HELM REPO ADD each of them before building the dependencies.
    curl \
      --silent \
      --cacert "${CACERT}" \
      --header "Authorization: Bearer ${TOKEN}" \
      --request "GET" \
      --url "https://kubernetes.default.svc/api/v1/namespaces/${NAMESPACE}/secrets?labelSelector=argocd.argoproj.io%2Fsecret-type%3Drepository" \
    | jq \
      --exit-status \
      --monochrome-output \
      --raw-output \
      '.items[] | select(.data.type | @base64d == "helm") | .data | .name, .url, .username, .password | map_values(@base64d)' \
    | while read -r "REPO_NAME"; read -r "REPO_URL"; read -r "REPO_USERNAME"; read -r "REPO_PASSWORD"; do
        helm repo add "$REPO_NAME" "$REPO_URL" \
          --username "$REPO_USERNAME" \
          --password "$REPO_PASSWORD" \
          --force-update
      done

    helm dependency build

[xmj]

For anyone trying this out, there's a small error in the plugin.yaml above - map_values(@base64d) should come before selecting name/url/username/password.

So something like this would do:

apiVersion: v1
kind: ConfigMap
metadata:
  name: gh-7104-workaround-plugin
  namespace: argo
data:

  plugin.yaml: |-
    apiVersion: argoproj.io/v1alpha1
    kind: ConfigManagementPlugin
    metadata:
      name: gh-7104-workaround-plugin
    spec:
      init:
        command:
          - sh
          - -c
        args:
          - helm-dependency-build # See below...
      generate:
        command:
          - sh
          - -c
          - helm template "${PARAM_HELM_RELEASE_NAME:-$ARGOCD_APP_NAME}" "." --namespace "$ARGOCD_APP_NAMESPACE" --include-crds

  helm-dependency-build.sh: |-
    set -e

    NAMESPACE="$(cat "/var/run/secrets/kubernetes.io/serviceaccount/namespace")"
    TOKEN="$(cat "/var/run/secrets/kubernetes.io/serviceaccount/token")"
    CACERT="/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"

    # CURL to get the secrets annotated with argocd.argoproj.io/secret-type=repository,
    # JQ to keep only the Helm repositories, I don't care about the Git repos here,
    # HELM REPO ADD each of them before building the dependencies.
    curl \
      --silent \
      --cacert "${CACERT}" \
      --header "Authorization: Bearer ${TOKEN}" \
      --request "GET" \
      --url "https://kubernetes.default.svc/api/v1/namespaces/${NAMESPACE}/secrets?labelSelector=argocd.argoproj.io%2Fsecret-type%3Drepository" \
    | jq \
      --exit-status \
      --monochrome-output \
      --raw-output \
      '.items[] | select(.data.type | @base64d == "helm") | .data  | map_values(@base64d) | .name, .url, .username, .password' \
    | while read -r "REPO_NAME"; read -r "REPO_URL"; read -r "REPO_USERNAME"; read -r "REPO_PASSWORD"; do
        helm repo add "$REPO_NAME" "$REPO_URL" \
          --username "$REPO_USERNAME" \
          --password "$REPO_PASSWORD" \
          --force-update
      done

    helm dependency build

What we've also noticed is that it is possible to combine this with the argocd-vault-plugin, such that in the docs [1] with additional helm sections [1] you'll want to replace the helm dependency init call with /usr/local/bin/helm-dependency-build.sh, and mount the file to /usr/local/bin/ (make sure it is executable).

[1] https://argocd-vault-plugin.readthedocs.io/en/stable/usage/#with-additional-helm-arguments

[RodrigoMenezes-Vantage]

For anyone else that may be hitting this issue, @steinarox link to #7858 is what fixed it for me. I needed to add a name to the repository definition. After doing so everything started working.

name: <<account-id>>.dkr.ecr.${aws_region}.amazonaws.com/myorg/helm-charts
enableOCI: "true"
password: '{{ .password }}'
type: helm
url: <<account-id>>.dkr.ecr.${aws_region}.amazonaws.com/myorg/helm-charts
username: '{{ .username }}'

Before adding the name to the repository definition, I could use the charts from the private OCI repo directly from ArgoCD but could not use them when they were defined as a dependency in another chart.