argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
18.01k stars 5.49k forks source link

Unable to Add Gitlab repository with Project/Group/deployment token #17396

Open amarjitmult opened 8 months ago

amarjitmult commented 8 months ago

Checklist:

Describe the bug

ArgoCD fails to add a GitLab-hosted repository using standard authentication methods (Deployment token, project token, group token, or SSH). Only a personal token from a user with GitLab system-wide Administrator role seems to work. Using such a token in ArgoCD's repository setup poses a security risk. GitLab version is GitLab Enterprise Edition v16.8.1-ee, and ArgoCD version is v2.10.1+a79e0ea, installed using the HELM chart. The error "rpc error: code = Unknown desc = error testing repository connectivity: repository not found" is received when attempting to add the repository.

To Reproduce

  1. On the GitLab project, obtain the repository URL for HTTPS – the same URL used for cloning the repository.
  2. Create an Access Token in the GitLab project by going to 'Settings' > 'Access Tokens'. Set the token name and assign appropriate privileges, ensuring "read_api" and "read_repository" scopes are selected.
  3. In ArgoCD's UI, go to 'Settings' > 'Repositories' to connect the repository. Use HTTPS, input the project and repository URL as obtained before. Use the token name as the username and the generated token as the password.
  4. Attempting to add the repository in ArgoCD fails, producing an error. Retrieve the error details from the argocd-server pod logs.

Expected behavior

The expected behavior for ArgoCD when adding a GitLab-hosted repository is to successfully connect using various authentication methods, such as Deployment tokens, project tokens, group tokens, or SSH keys, without requiring elevated permissions like a GitLab system-wide administrator role. The process should be secure, not exposing the system to unnecessary risks, and should allow for the use of least-privilege tokens that have just enough permissions to read the repository and API.

Screenshots

None

Version

argocd version
argocd: v2.10.1+a79e0ea
  BuildDate: 2024-02-14T17:37:43Z
  GitCommit: a79e0eaca415461dc36615470cecc25d6d38cefb
  GitTreeState: clean
  GoVersion: go1.21.3
  Compiler: gc
  Platform: linux/amd64

Logs

FATA[0000] rpc error: code = Unknown desc = error testing repository connectivity: repository not found
srekkas commented 8 months ago

Mine started working after changing role to maintainer.

andrii-korotkov-verkada commented 1 week ago

Can this be considered a resolving workaround, or such role change is not always desirable? Does this repro on versions 2.11+?