Private repo credentials deleted from disk before plugin is run #7995
Comments
|
https://github.com/argoproj/argo-cd/blame/6d8ff61b16163e960126f2205166513d924a64a9/reposerver/repository/repository.go#L1167 on this commit message you can see it talks on the change being made to support kustomize remote bases. We use these, but via a plugin, so that we can pass environment variables down to kustomize (as this is now supported in Kustomize - https://github.com/kubernetes-sigs/kustomize/blob/master/api/kv/kv.go#L163, potentially the default |
davemann-mgl
changed the title
|
I ran into this same issue. I may have a simple fix in code; but I am just setting up a test environment for the first time so this may take awhile to validate. |
The io.Closer returned from the call to creds.Environ() removes the underlying file. The desired behavior here is to clean up the credentials files only after the plugin code has been run, which now happens one level up in the call stack. Fixes argoproj#7995 Signed-off-by: D. Ryan Hild <rhild@starbucks.com>
The io.Closer returned from the call to creds.Environ() removes the underlying file. The desired behavior here is to clean up the credentials files only after the plugin code has been run, which now happens one level up in the call stack. Fixes #7995 Signed-off-by: D. Ryan Hild <rhild@starbucks.com> Co-authored-by: Michael Crenshaw <michael@crenshaw.dev>
The io.Closer returned from the call to creds.Environ() removes the underlying file. The desired behavior here is to clean up the credentials files only after the plugin code has been run, which now happens one level up in the call stack. Fixes argoproj#7995 Signed-off-by: D. Ryan Hild <rhild@starbucks.com> Co-authored-by: Michael Crenshaw <michael@crenshaw.dev> Signed-off-by: asingh51 <Ashutosh_Singh@intuit.com>
The io.Closer returned from the call to creds.Environ() removes the underlying file. The desired behavior here is to clean up the credentials files only after the plugin code has been run, which now happens one level up in the call stack. Fixes argoproj#7995 Signed-off-by: D. Ryan Hild <rhild@starbucks.com> Co-authored-by: Michael Crenshaw <michael@crenshaw.dev> Signed-off-by: wojtekidd <wojtek.cichon@protonmail.com>
|
I'd suggest to re-open the issue as the fix was reverted in #9105 |
If you are trying to resolve an environment-specific issue or have a one-off question about the edge case that does not require a feature then please consider asking a question in argocd slack channel.
Checklist:
argocd version.Describe the bug
When using ArgoCD 2.2.0 with an existing plugin (Not using the new plugin server), the environment contains a
GIT_SSH_COMMANDwhich includes an ssh identity on shared memory containing the private key for the detected repository, placed there by ArgoCD. In the latest changes for the CMP server, the file is deleted before it can be read due to the pluginEnv's being constructed in a seperategetPluginEnvsmethod now which itself does a defer cleanup of the SSH key before the plugin itself has run.https://github.com/argoproj/argo-cd/blame/6d8ff61b16163e960126f2205166513d924a64a9/reposerver/repository/repository.go#L1142
To Reproduce
Create an application with a config management plugin that internally uses git and is pointed at a private repository.
Attempt to refresh the application
Expected behavior
The identity file contained in the GIT_SSH_COMMAND is not deleted before the plugin is run
Screenshots
If applicable, add screenshots to help explain your problem.
N/A
Version
2.2.0
Logs
The text was updated successfully, but these errors were encountered: