argo-cd: argo-repo-server issue: gpg ... --gen-key failed exit status 2
Checklist:
- I’ve searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
- I’ve included steps to reproduce the bug.
- I’ve pasted the output of
argocd version
.
Describe the bug
After upgrading argo-cd from version v2.3.5 to v.2.4.3 the argo-repo-server stopped working with the logs:
argocd-repo-server time="2022-06-28T16:18:42Z" level=info msg="Generating self-signed gRPC TLS certificate for this session" │
│ argocd-repo-server time="2022-06-28T16:18:42Z" level=info msg="Initializing GnuPG keyring at /app/config/gpg/keys" │
│ argocd-repo-server time="2022-06-28T16:18:42Z" level=info msg="gpg --no-permission-warning --logger-fd 1 --batch --gen-key /tmp/gpg-key-recipe301546403" dir= execID=f1898 │
│ argocd-repo-server time="2022-06-28T16:18:48Z" level=error msg="`gpg --no-permission-warning --logger-fd 1 --batch --gen-key /tmp/gpg-key-recipe301546403` failed exit status 2" │
│ argocd-repo-server time="2022-06-28T16:18:48Z" level=info msg=Trace args="[gpg --no-permission-warning --logger-fd 1 --batch --gen-key /tmp/gpg-key-recipe301546403]" dir= opera │
│ argocd-repo-server time="2022-06-28T16:18:48Z" level=fatal msg="`gpg --no-permission-warning --logger-fd 1 --batch --gen-key /tmp/gpg-key-recipe301546403` failed exit status 2" │
This leads to Argo CD UI showing error:
rpc error: code = Unavailable desc = connection error: desc = "transport: Error while dialing dial tcp 10.3.43.220:8081: connect: connection refused"
To Reproduce
For me it was just the upgrade.
Expected behavior
argo-repo-server starts up without errors.
Screenshots
Version
argocd: v2.1.3+d855831.dirty
BuildDate: 2021-09-30T22:11:24Z
GitCommit: d855831540e51d8a90b1006d2eb9f49ab1b088af
GitTreeState: dirty
GoVersion: go1.17.1
Compiler: gc
Platform: darwin/amd64
argocd-server: v2.4.3+471685f
About this issue
- Original URL
- State: open
- Created 2 years ago
- Reactions: 8
- Comments: 50 (3 by maintainers)
We had the same issue (argocd-repo-server erroring out with GPG errors) when installing from kustomize from cluster-install manifest. The setup works off the shelf for minikube, but for a “real” cluster had this issue. Just removing the
seccompProfile
section from thesecurityContext
section solved it.We experienced the same error after upgrading from 2.2.x to 2.4.11.
In our case we had patched the deployment with the below patch. After removing it, the error disappeared and repo server could start up.
I’m using the “official” argo-cd Helm chart to deploy ArgoCD on a K8s cluster. Unfortunately I cannot “unset” the seccompProfile value because of a bug in Helm when trying to overring subchart values (https://github.com/helm/helm/issues/5184, https://github.com/helm/helm/issues/9136, current pull request fixing this problem:https://github.com/helm/helm/pull/11440). Normally, you just have to set the seccompProfile to “null”. This happen because I created a custom Helm chart which has a dependency the official ArgoCD helm chart.
So, for me the only solution was to set a value (at least this works when setting values for subcharts). If someone encounters the same problem, just set the following value in your values.yaml file of your umbrella/parent chart:
Hopping a better solution can be found in the near future because having to lower security to make the service work is not really a great workaround !
We @swisscom have the same issue with a Kubernetes cluster based on VMware Tanzu
v1.21.9+vmware.1
.Whoa.
Log Line
argocd-repo-server
v2.4.12
gpg
Hm, also no change for us. So far only disabling gpg as described in https://argo-cd.readthedocs.io/en/stable/user-guide/gpg-verification/ removes the error.
I have the same problem when I upgraded ArgoCD to version 2.5.2 This workaround works for me. Thanks bro!
Hi brother, I also met the same problem. The final solution is to check whether your argocd version and kubernetes version correspond. Refer to the link https://argo-cd.readthedocs.io/en/stable/operator-manual/installation/
We had 2.4.11 running in a temporary playground environment where it ran fine. Then we started comparing the setups and found the seccompProfile was missing in the playground environment. We removed it in our production environments and Bingo!
We @swisspost are also facing this issue on VMware TKGI 1.22 (= TKGI
1.13.4-build.15
). Argo CD v2.4.7 (via helm chart version 4.9.16) is working fine on AWS EKS and Azure AKS but not on TKGI.TKGI runs really old worker OS:
I then suspected that Ubuntu 16 worker with Ubuntu 22 base image has some compat issues (Argo 2.4 container image is based on Ubuntu 22).
Unfortunately this theory is wrong - I booted a single-node k3s cluster with Ubuntu 16 LTS, docker and k3s:
Argo CD 2.4.7 is working fine here. I have no clue what else to try and filed a VMware issue in our support portal. 🙄
I can confirm it’s definitely missing special rights for this service account. I granted now everything for this service account and now the argocd-repo-server is starting. I’m now digging into that we have a least privilege role.
@denysvitali Could you please try out in your env by excluding the
seccomProfile
?just removing the
seccompProfile
sub-section worked for us (details). Thank you, @jabbors ! How did you narrow down to this part?Nice! Thanks for confirming that❤️. We postponed the upgrade intent for Argo on Tanzu and wait for TKGI 1.16 in Q1 2023 🙄