Open karlschriek opened 2 years ago
Does login work via port-forwarding and running argocd login localhost:XX
?
No, this doesn't work at all when --insecure
is set. (When not set it works without any issues).
Here are the errors. Initial port-forwarding succeeds:
$ kubectl port-forward svc/argocd-server -n argocd 8888:80
W0818 19:56:08.389740 103506 azure.go:92] WARNING: the azure auth plugin is deprecated in v1.22+, unavailable in v1.25+; use https://github.com/Azure/kubelogin instead.
To learn more, consult https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins
Forwarding from 127.0.0.1:8888 -> 8080
Forwarding from [::1]:8888 -> 8080
Handling connection for 8888
Handling connection for 8888
Thereafter, whether attempting to connect via the browser or via the CLI, the following output is printed in the console logs and the port-forwarding is broken:
E0818 19:56:12.735346 103506 portforward.go:406] an error occurred forwarding 8888 -> 8080: error forwarding port 8080 to pod 922c222aa17d861ed872caf98729cf0a18303b5a08ca6e49b3dd161abcdfcd55, uid : failed to execute portforward in network namespace "/var/run/netns/cni-d0ff4986-3c2b-3485-77f5-5c7e9cea95a4": read tcp4 127.0.0.1:38170->127.0.0.1:8080: read: connection reset by peer
E0818 19:56:12.735531 103506 portforward.go:234] lost connection to pod
Handling connection for 8888
E0818 19:56:12.735711 103506 portforward.go:346] error creating error stream for port 8888 -> 8080: EOF
The CLI itself just prints "connection refused":
$ argocd login localhost:8888
FATA[0002] dial tcp 127.0.0.1:8888: connect: connection refused
EDIT: this particular issue looks like it is related to #8613
This gives the exact same error:
argocd login localhost:8888 --plaintext
This does work:
argocd login --port-forward --plaintext --port-forward-namespace argocd
...which is good to know in the situation where I can piggy-back off the kubernetes API, but what I want to is have argocd login argocd.mydomain.com
work
With only --insecure
enabled, login on browser (localhost:15032
) gives the following errors:
URL: http://localhost:15032/api/v1/applications?fields=metadata.resourceVersion%2Citems.metadata.name%2Citems.metadata.annotations%2Citems.metadata.labels%2Citems.metadata.creationTimestamp%2Citems.metadata.deletionTimestamp%2Citems.spec%2Citems.operation.sync%2Citems.status.sync.status%2Citems.status.health%2Citems.status.operationState.phase%2Citems.status.operationState.operation.sync%2Citems.status.summary&selector=
Status: 401 Unauthorized
URL: http://localhost:15032/api/v1/clusters
Status: 401 Unauthorized
virtual-service.yaml
kind: VirtualService
metadata:
name: ui-services
spec:
hosts:
- "*"
gateways:
- local-gateway
http:
- name: argocd
match:
- port: 15032
route:
- destination:
host: argocd-server.argocd.svc.cluster.local
port:
number: 80
Checklist:
argocd version
.Describe the bug
I am serving the ArgoCD Server on argocd.mydomain.com using the following Istio setup:
and:
I can log into the server via my browser at
argocd.mydomain.com
. However, if I tried to log in via the CLI, I am hit with anRBAC: access denied
, which means that Istio is blocking traffic that hasn't been allowed for via the setup above. The only thing that I can think of is that the CLI might be attempting to use a different port.I also attempted to use the suggestions in https://github.com/argoproj/argo-cd/issues/2784#issuecomment-662439971:
Expected behavior
Since the server is correctly serving to argocd.mydomain.com and can be connect to there via the browser, I would expect the CLI to be able to connect on that endpoint.
Version