Open maartengo opened 2 years ago
I think we do cache the repository secrets (like we do with the argocd-secret
), but don't setup watches for the cache updates. This effectively never updates the credentials we initially loaded from the secret, until a restart of argocd-server or argocd-application-controller happens.
Hi, Is this a regression or did this never work?
Is this a regression or did this never work
It's dependent on how you define regression in this case :) The previous way of configuring the repositories, e.g. adding them into argocd-secret
was auto-reloading. The new method is not. So in a way, it is a regression, yes.
Makes sense, we have an unbounded list of secrets to watch now :)
I'm pretty sure we still have auto-reloading. Probably there is an edge case related to whitespace. Trying to reproduce
I was able to reproduce the issue. It is a day zero bug related to the whitespace in git repo URL. Repo server creates temp directory for "normalized" URL that already HTTP encodes whitespace characters but uses original URL for the remote
As a result after switching URL to https://dev.azure.com/YourOrgName/Prep%20Project.2/_git/SomeGitRepo/
repo server keep using previously initialized git repo with https://dev.azure.com/YourOrgName/Prep Project.2/_git/SomeGitRepo/
. The workaround is to restart repo-servers.
I think fix is to use "normalized" URL for all git operations. E.g git client should be initialized with normalized URL: https://github.com/argoproj/argo-cd/blob/3c874ae065c14102003d041d76d4a337abd72f1e/util/git/client.go#L148
But good thing it is not a regression and affects only repo with whitespace in the URL :)
Actually this issue isn't about spaces per se, rather about the URL encoding. We are having the same issue with AWS CodeCommit repo urls where we have to use this format
https://SOME_CREDENTIAL_ID@git-codecommit.REGION.amazonaws.com/v1/repos/super-repo-name
There is also a username and password.
The @
symbol may be causing the same issue as the space character in the OP.
(I am trying to understand how I can do the workaround via Terraform.)
UPDATE: Actually scratch that, this is not affecting me, please ignore this message.
I encountered an issue yesterday where deleting a repo cred secret 1) did not update the list of repos in the UI and 2) did not allow an App using that repo to fall back to a credentials template (it errored on refresh with "secret not found).
I think a watch would solve this issue.
Use hard refresh
This is no longer a problem for me. My current workaround is to just avoid spaces in repository credentials or replace them with %20, which works OK.
I encountered an issue yesterday where deleting a repo cred secret 1) did not update the list of repos in the UI and 2) did not allow an App using that repo to fall back to a credentials template (it errored on refresh with "secret not found).
I think a watch would solve this issue.
I bumped into this issue myself in #10218, adding a watch on the secrets sounds good to me.
Scratch that, I could not reproduce this locally, where this actually works. Will dig a bit further to see what the actual issue is.
Checklist:
Describe the bug Changing the repository URL in the repository secret isn't recognized by ArgoCD until a reboot. We've only tested this with Repository Credentials.
Reproduction: (in my case)
Prep Project.2
SomeGitRepo
https://dev.azure.com/<yourorgname>/
(orgname without spaces)https://dev.azure.com/<yourorgname>/Prep Project.2/_git/SomeGitRepo
rpc error: code = Internal desc = Failed to fetch 3f884e25c735231ed489a8efdd1e041d36ec62b0: `git fetch origin --tags --force` failed exit status 128: fatal: unable to access 'https://dev.azure.com/<yourorgname>/Prep Project.2/_git/SomeGitRepo/': The requested URL returned error: 400
%20
instead of spaces, you will get the same errorTemplate used:
Expected behavior
You'd expect that, after updating the git url to replace
https://dev.azure.com/YourOrgName/Prep Project.2/_git/SomeGitRepo/
(contains a space) withhttps://dev.azure.com/YourOrgName/Prep%20Project.2/_git/SomeGitRepo/
(space is now %20) that the application will successfully pull the git repo.A git URL that contains a space converted to %20 always works, so long as this is the first time you configure that URL. I'd expect it to also work if you've first configured the wrong URl in the repository secret.
The issue is that Argo doesn't load the new repository secret, which makes it so that there is a mismatch between the application and the secret. I'd expect Argo to be able to see that the secret is updated and using that instead of the original secret.
A workaround we currently use:
Version
Running version 3.26.5 of helm chart at https://argoproj.github.io/argo-helm