search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
17.85k stars 5.45k forks source link

Can not add gitlab CE repository via ssh authentication #9229

Open gbonazzoli opened 2 years ago

gbonazzoli commented 2 years ago

Both UI and CLI are not able to create a git repository on a gitlab CE on premises:

This is what the command returns.

root@image-builder:~# argocd repo add git@gitlab.poltronesofa.com:it/k8s-tce-work.git --ssh-private-key-path ~/.ssh/id_rsa
FATA[0000] rpc error: code = Unknown desc = error testing repository connectivity: ssh: handshake failed: knownhosts: key is unknown

The same repository is OK if declared in https.

moyomendoza commented 2 years ago

I was also experiencing the same behavior in GitHub and I discovered that the issue is that known_hosts is being enforced by ArgoCD. I resolved my problem adding the ssh known host key in Argo and then adding the repo. https://argo-cd.readthedocs.io/en/latest/user-guide/private-repositories/#managing-ssh-known-hosts-data-using-the-argocd-web-ui

atefhaloui commented 2 years ago

Hi, I have a similar problem but the issue is coming from the fact that I'm running my gitlab CE on a non standard port. I've added the ssh public key to know_hosts ([gitlab.mydomain.com]:my_port ssh-ed25519 xxxxxxxxx) and tried to add the repository ssh://git@gitlab.mydomain.com:my_port/fa/myproject.git but it keeps saying ssh: handshake failed: knownhosts: key is unknown I have no clue on how to resolve this

jeliseocd commented 1 year ago

Hi, I have a similar problem but the issue is coming from the fact that I'm running my gitlab CE on a non standard port. I've added the ssh public key to know_hosts ([gitlab.mydomain.com]:my_port ssh-ed25519 xxxxxxxxx) and tried to add the repository ssh://git@gitlab.mydomain.com:my_port/fa/myproject.git but it keeps saying ssh: handshake failed: knownhosts: key is unknown I have no clue on how to resolve this

Same issue here. With a non standard SSH port it's not possible to add an ArgoCD repo. I have added in GitLab the ArgoCD SSH public key (I have tested that it connects correctly to GitLab repository by git clone ssh://git@server.example.com:2222/user/repository).

Then I have added the SSH public host keys for the server to ArgoCD: ssh-keyscan -p 2222 server.example.com | argocd cert add-ssh --batch

But there is no way to add a repo: argocd repo add ssh://git@server.example.com:2222/user/repository --ssh-private-key-path ~/id_rsa FATA[0000] rpc error: code = Unknown desc = error testing repository connectivity: ssh: handshake failed: knownhosts: key is unknown

Software Versions; ArgoCD: v2.4.4+f GitLab: 15.5.3-ee

jeliseocd commented 1 year ago

Updating ArgoCD to the latest version (v2.5.2) does not fix the problem.

drpaneas commented 1 year ago

I have the same problem with GitHub. Surprisingly the config map has the correct key. 

github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==

It’s the same key there is at the argocd repo from argocd installation and it is also the same key I have in my ~/.ssh/known_hosts.

The problem is:

REPO_ADDRESS="git@github.com:drpaneas/snesdb.git"
argocd repo add "$REPO_ADDRESS" --ssh-private-key-path ./privatekey --loglevel=debug

WARN[0001] Failed to invoke grpc call. Use flag --grpc-web in grpc calls. To avoid this warning message, use flag --grpc-web.
FATA[0001] rpc error: code = Unknown desc = error testing repository connectivity: ssh: handshake failed: knownhosts: key mismatch

Fails.

But with insecure, it works:

$ argocd repo add "$REPO_ADDRESS" --insecure-ignore-host-key --ssh-private-key-path ./privatekey
WARN[0000] Failed to invoke grpc call. Use flag --grpc-web in grpc calls. To avoid this warning message, use flag --grpc-web.
Repository 'git@github.com:drpaneas/snesdb.git' added
$ argocd repo list
WARN[0000] Failed to invoke grpc call. Use flag --grpc-web in grpc calls. To avoid this warning message, use flag --grpc-web.
TYPE  NAME  REPO                                INSECURE  OCI    LFS    CREDS  STATUS      MESSAGE  PROJECT
git         git@github.com:drpaneas/snesdb.git  true      false  false  false  Successful

I would just like to add that exactly the same procedure works fine with GItlab private repo. Only with GitHub fails.

jeliseocd commented 1 year ago

Updating ArgoCD to the latest version (v2.5.2) does not fix the problem.

Updating ArgoCD to version v2.5.7 still does not solve the problem.

FunTimeCoding commented 1 year ago

I have the same problem I tried adding only individual keys from my host without success and then proceeded with --insecure-skip-server-verification

drpaneas commented 1 year ago

@FunTimeCoding

then proceeded with --insecure-skip-server-verification

did it work with insecure?

jeliseocd commented 1 year ago

I have tried the following:

In this second case:

FunTimeCoding commented 1 year ago

@drpaneas Yes. I did get the same error @jeliseocd described when using ssh-keyscan -p 1234 example.org | argocd cert add-ssh --batch because it added 3 different key formats, but when I deleted the other two besides ssh-rsa it worked. I used an intermediate file to store the scanned keys, manually deleted the lines and then imported using argocd cert add-ssh --batch --from temporary_known_hosts

jeliseocd commented 1 year ago

Problem solved. In my particular case, I was not correctly forwarding port 2222 to the Git server.

Anyway, the "FATA[0000] rpc error: code = Unknown desc = error testing repository connectivity: ssh: handshake failed: knownhosts: key is unknown" error still persists, so, with a non-standard SSH port in Git you have to use the option "--insecure-ignore-host-key"