ArgoCD v2.12 introduces newer git which enforces directory ownership but ArgoCD has no way to declare safe.directories

[pre]

Describe the bug

ArgoCD v2.12 updates git to 2.43.0 which enforces the directory ownership match with the effective user id. In the command line environment declaring a git safe.directory tells git to accept a directory, but Git executed by ArgoCD does not respect /home/argocd/.gitconfig

argocd@argocd-repo-server-8dfb95f45-rm2vk:~$ cat ~/.gitconfig
[safe]
    directory = /usr/local/*
argocd@argocd-repo-server-8dfb95f45-rm2vk:~$ git --version
git version 2.43.0

Context

In one of our environments, we include a certain version of manifests into the argocd-repo-server pod. The overall purpose is to serve a fixed set of manifests from the argocd-repo-server filesystem without a dependency to any external version control system. (The business purpose is somewhat more complex but it's not relevant here.)

Using an init container, files are copied from this manifest container image to a shared volume, which is then mounted by argoocd-repo-server. The Application manifests then defines repoURL: /usr/local/example-manifests.

Situation

With ArgoCD v2.10 everything works.

In ArgoCD v2.12 (didn't try v2.11) git in argocd-repo-server fails with

error="error testing repository connectivity: unknown error: fatal: detected dubious ownership in repository at '/usr/local/example-manifests'"

Locally this issue would be fixed with git --add safe.directory /usr/local/example-manifests (.gitconfig shown above). But argocd-repo-server does respect /home/argocd/.gitconfig.

This is demonstrated by git clone being successful in argocd-repo-server command line (it fails without this .gitconfig):

argocd@argocd-repo-server-8dfb95f45-rm2vk:~$ git clone /usr/local/example-manifests/ /tmp/lol
Cloning into '/tmp/lol'...
done.

But running in ArgoCD fails because of the permission mismatch.

argocd@argocd-repo-server-8dfb95f45-rm2vk:~$ ls -ld /usr/local/cloud-runtime-manifests/
drwxr-xr-x 7 root root 4096 Aug 29 09:52 /usr/local/cloud-runtime-manifests/

Workaround

Our intention was to have these manifests read-only, which was achieved by having the directory owned by root:root.

Since .gitconfig is not respected, and the problem is caused by mismatching owner:group (root != argocd), we loosened the security approach by changing the ownership of /usr/local/example-manifests to argocd:argocd .

The downside is that now the manifest directory is writable by the non-root argocd user. Even though the argocd-repo-server root file system is mounted read only, the volume shared by the init container and argocd-repo-server is writable (otherwise the init container wouldn't be able to write there).

Ironically this means that this enhanced security setting made the overall security worse.

Expected behavior

The argocd-repo-server would either respect ~/.gitconfig or have a way to define a list of safe.directory paths.

Version

v2.12.2

Logs

time="2024-08-29T09:18:17Z" level=error msg="finished unary call with code Unknown" error="error testing repository connectivity: unknown error: fatal: detected dubious ownership in repository at '/usr/local/example-manifests'" grpc.code=Unknown grpc.method=TestRepository grpc.service=repository.RepoServerService grpc.start_time="2024-08-29T09:18:17Z" grpc.time_ms=1.054 span.kind=server system=grpc

[diversario]

I'm running into this while trying to run ArgoCD in a container as per the docs. Repo server is unable to use the repository:

09:12:39                api-server | INFO[2114] received unary call /repository.RepositoryService/GetAppDetails  grpc.method=GetAppDetails grpc.request.content="source:<repoURL:\"https://github.com/diversario/argocd-sync-waves\" path:\"apps/wave-1\" targetRevision:\"main\" chart:\"\" ref:\"\" > appName:\"wave-1\" appProject:\"default\" " grpc.service=repository.RepositoryService grpc.start_time="2024-09-11T09:12:39Z" span.kind=server system=grpc
09:12:40               repo-server | DEBU[2114] revision 'main' resolved to 'bcdf0e5304f6b494d34007e6db3feb20d3d6da73'
09:12:40               repo-server | INFO[2114] app details cache miss: bcdf0e5304f6b494d34007e6db3feb20d3d6da73/&ApplicationSource{RepoURL:https://github.com/diversario/argocd-sync-waves,Path:apps/wave-1,TargetRevision:main,Helm:nil,Kustomize:nil,Directory:nil,Plugin:nil,Chart:,Ref:,}
09:12:40               repo-server | INFO[2114] Initializing https://github.com/diversario/argocd-sync-waves to /tmp/_argocd-repo/d0135c11-65b9-4d3e-ad3f-0739eddd509c
09:12:40               repo-server | DEBU[2114] LsRefs resolved 1 branches and 0 tags on repository
09:12:40               repo-server | INFO[2114] finished unary call with code OK              grpc.code=OK grpc.method=ListRefs grpc.service=repository.RepoServerService grpc.start_time="2024-09-11T09:12:39Z" grpc.time_ms=358.346 span.kind=server system=grpc
09:12:40               repo-server | DEBU[2114] revision 'main' resolved to 'bcdf0e5304f6b494d34007e6db3feb20d3d6da73'
09:12:40                api-server | INFO[2114] finished unary call with code OK              grpc.code=OK grpc.method=ListRefs grpc.service=repository.RepositoryService grpc.start_time="2024-09-11T09:12:39Z" grpc.time_ms=365.46 span.kind=server system=grpc
09:12:40               repo-server | INFO[2114] git fetch origin --tags --force --prune       dir=/tmp/_argocd-repo/d0135c11-65b9-4d3e-ad3f-0739eddd509c execID=7823b
09:12:40               repo-server | DEBU[2114]                                               duration=5.061208ms execID=7823b
09:12:40               repo-server | ERRO[2114] `git fetch origin --tags --force --prune` failed exit status 128: fatal: detected dubious ownership in repository at '/tmp/_argocd-repo/d0135c11-65b9-4d3e-ad3f-0739eddd509c'
09:12:40               repo-server | To add an exception for this directory, call:
09:12:40               repo-server |    git config --global --add safe.directory /tmp/_argocd-repo/d0135c11-65b9-4d3e-ad3f-0739eddd509c  execID=7823b
09:12:40               repo-server | INFO[2114] Trace                                         args="[git fetch origin --tags --force --prune]" dir=/tmp/_argocd-repo/d0135c11-65b9-4d3e-ad3f-0739eddd509c operation_name="exec git" time_ms=5.626125
09:12:40               repo-server | ERRO[2114] finished unary call with code Unknown         error="failed to initialize repository resources: rpc error: code = Internal desc = Failed to fetch default: `git fetch origin --tags --force --prune` failed exit status 128: fatal: detected dubious ownership in repository at '<path to cached source> add an exception for this directory, call:\n\n\tgit config --global --add safe.directory <path to cached source>" grpc.code=Unknown grpc.method=GetAppDetails grpc.service=repository.RepoServerService grpc.start_time="2024-09-11T09:12:39Z" grpc.time_ms=381.453 span.kind=server system=grpc
09:12:40               repo-server | DEBU[2114] Successfully restored read/write/execute permissions on /tmp/_argocd-repo/d0135c11-65b9-4d3e-ad3f-0739eddd509c

[larssb]

Is this still an issue?

[theblop]

same problem here with single-node cluster and a local git repo specified with repoURL: file:///local-git-repo

The local volume is mounted with the specified argocd helm values and /opt/argo.git belongs to root:root (755) on the host:

    repoServer:      
      volumes:
        - name: local-git-repo
          hostPath:
            path: /opt/argo.git
            type: Directory
      volumeMounts:
        - name: local-git-repo
          mountPath: /local-git-repo
          readOnly: true

[csun-cpointe]

I am running into the same issue as well. Looking into the workaround but dunno how to changing the ownership of the directory? Can anyone give an example? Thanks

PS: I am also have similar set up as @theblop and trying to point a local repo for argocd