argo-cd: ArgoCD is not using helm repository credentials for Chart dependencies

If you are trying to resolve an environment-specific issue or have a one-off question about the edge case that does not require a feature then please consider asking a question in argocd slack channel.

Checklist:

  • I’ve searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
  • I’ve included steps to reproduce the bug.
  • I’ve pasted the output of argocd version.

Describe the bug

Password protected private helm repository throws an error when added as dependency to helm chart Chart.yaml file.

To Reproduce

  1. Create a private helm repo.( GitHub Repo hacked to work as helm chart registry in my case)
  2. Create a Secret in ArgoCD either with label
argocd.argoproj.io/secret-type: repo-creds

or

argocd.argoproj.io/secret-type: repository

and helm chart registry info

      url: "https://raw.githubusercontent.com/org/helm-charts/main/docs"
      name: "helm-charts"
      type: "helm"
      username: ""
      password: ""
  1. Create an helm-type app with above helm chart dependency.

Expected behavior

ArgoCD Should be able to resolve helm chart dependencies using either repo-creds or repository secrets.

Screenshots

rpc error: code = Unknown desc = Manifest generation error (cached): `helm repo add raw.githubusercontent.com https://raw.githubusercontent.com/org/helm-charts/main/docs` failed exit status 1: Error: looks like "https://raw.githubusercontent.com/org/helm-charts/main/docs" is not a valid chart repository or cannot be reached: failed to fetch https://raw.githubusercontent.com/org/helm-charts/main/docs/index.yaml : 404 Not Found

Version

v2.1.1+aab9542

Logs

NA

About this issue

  • Original URL
  • State: open
  • Created 3 years ago
  • Reactions: 27
  • Comments: 36 (3 by maintainers)

Most upvoted comments

This issue is a very big concern for me as well. I have the issue in the latest 2.3.x version (2.3.4) and also tried the Release Candidate of 2.4 version (2.4.0-rc5) and both version seems to have the issue. Here are my files: Repository secret file

apiVersion: v1
kind: Secret
metadata:
  annotations:
    managed-by: argocd.argoproj.io
  labels:
    argocd.argoproj.io/secret-type: repository
  name: repo-helm-repo
  namespace: argocd
type: Opaque
stringData:
  name: helm-repo
  password: password
  type: helm
  url: https://private-repo.fr/charts
  username: admin

My application file:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: helm-test
spec:
  destination:
    namespace: test
    server: 'https://kubernetes.default.svc'
  source:
    path: .
    repoURL: 'https://gitlab.com/chart-dependency.git'
    targetRevision: HEAD
  project: some-project

And this is my Chart.yaml located on my git repository referenced in my Application yaml:

apiVersion: v2
name: helm-test
version: 1.0.0
dependencies:
    - name: helm-test
      version: 1.0.0
      repository: https://private-repo.fr/charts

Without passCredentials:

Unable to create application: application spec for helm-test is invalid: InvalidSpecError: Unable to generate manifests in .: rpc error: code = Unknown desc = `helm repo add --username ****** --password ****** https:--private-repo.fr/charts https://private-repo.fr/charts` failed exit status 1: Error: repository name (https:--private-repo.fr/charts) already exists, please specify a different name

With passCredentials:

Unable to create application: application spec for helm-dep is invalid: InvalidSpecError: Unable to generate manifests in .: rpc error: code = Unknown desc = `helm dependency build` failed exit status 1: Error: could not download https://private-repo.fr:443/charts/helm-test-1.0.0.tgz: failed to fetch https://private-repo.fr:443/charts/helm-test-1.0.0.tgz : 401

I also tried setting my repository as an OCI one with the following settings for the repository :

stringData:
  enableOCI: "true"
  name: helm-repo
  password: password
  type: helm
  url: https://private-repo.fr/charts
  username: admin

and the passCredentials option for the app:

  source:
    path: .
    repoURL: 'https://gitlab.com/chart-dependency.git'
    targetRevision: HEAD
    helm:
      passCredentials: true

Using the URL with oci:// instead of https:// on my Chart.yaml but it always fail with 401 error.

 Unable to create application: application spec for helm-dep is invalid: InvalidSpecError: Unable to generate manifests in .: rpc error: code = Unknown desc = `helm dependency build` failed exit status 1: Error: could not download oci://private-repo.fr/charts/helm-test: failed to authorize: failed to fetch anonymous token: unexpected status: 401

Do you guys have any update on this issue ?

+6
ixxeL2097 on Jun 10, 2022

@chetan-rns i can add a chart directly, but if i have a chart.yaml in a git repo that points to another private chart repo it wont work

note we are using azure acr as our registry. the new passCredentials argument dont fix it, still 401

+6
steinarox on Dec 30, 2021

adding the * on source

I have same issues, but not fixed mine.

+4
oni-oni-oni-1 on Oct 27, 2022

Tested on latest 2.2.1 and still same issue. Our helm repo is unconventional, added as such:

        - name: application-test
          passwordSecret:
            key: password
            name: test-creds
          type: helm
          url: https://raw.githubusercontent.com/test/master/repo/
          usernameSecret:
            key: username
            name: test-creds

(works on our current version 2.0.5)

+4
cesarmesones on Dec 28, 2021

I have the same issue with v2.8.4 Any update?

+3
manali14 on Sep 21, 2023

I found a workaround that works for me, but may not be okay for everyone. By creating a new helm repository in the same project as my application, I am able to use the credentials I provided. It didn’t work without specifying a project in the repository definition and it didn’t work with the default project.

I tested this in v2.2.0+6da92a8.

+3
TGuimbert on Dec 17, 2021

Same here. Rollbacked argocd 2.1 because of private repo access issue. I could create the repository config through UI and it would register fine. I could see 200 in my private repo logs. But when chart generation time comes it looks like that these credentials are not used by argocd controller anymore. Just in my case it was Forbidden 403. Same config with 2.0.5 worked flawlessly.

+3
r0kas on Aug 27, 2021

You can get 404 Not Found back from GitHub when you are trying to access private GitHub Repos without credentials. from the looks of it, helm repo add command is not using credentials to add the private repo.

+3
ib-ak on Aug 27, 2021

Was facing the same issues when I’ve upgraded ArgoCD from v2.0.5 to v.2.1.8. But I was able to fix it (thanks to @moustafab comment above) if I had included the Helm repository (Artifactory) in the sourceRepos settings of the project which the application was bound to. Had also tested the following scenarios:

  • Helm repository and credentials are configured via separate secrets that contain the labels argocd.argoproj.io/secret-type: repository resp. argocd.argoproj.io/secret-type: repo-creds
  • Helm repository and credentials are configured in the argocd-cm configMap

Both scenarios are working fine.

+2
zwilling79 on Jan 22, 2022

@alexmt we dont specify index.yaml in the chart url

snippet from error above

failed to fetch https://raw.githubusercontent.com/org/helm-charts/main/docs/index.yaml : 404 Not Found

index.yaml was automatically added by helm commands.

It works without index.yaml in 2.0.5

+2
ib-ak on Aug 27, 2021

I also have the same issue using OCI repo from github, and adding the * on source repos for the project didn’t solve. I’m using argo version 2.4.7

When I exec inside the repo-server pod and run helm registry login then pull the chart it starts working.

+1
jfmrm on Aug 5, 2022

We also ran into this and tried to reproduce the bug. In our case it was a “trailing slash” at the end of the URL pointing to a private helm repository (this was already noticed by @steinarox in https://github.com/argoproj/argo-cd/issues/7104#issuecomment-1032269035).

We had Chart.yaml files, located in git repositories pointed to by ArgoCD applications, with content similar to the following:

apiVersion: v2
name: argocd-helm-bug
description: A Helm chart which wraps a private helm chart
type: application
version: 0.1.0
appVersion: "1.16.0"
dependencies:
- name: private
  version: "9.7.2"
  repository: "https://my.own.chartmuseum.example.com/"

ArgoCD in version 2.2.5 can’t sync the application then.

A sync error like:

ComparisonError: rpc error: code = Unknown desc = `helm repo add https://my.own.chartmuseum.example.com/ https://my.own.chartmuseum.example.com/` failed exit status 1: Error: looks like "https://my.own.chartmuseum.example.com/" is not a valid chart repository or cannot be reached: failed to fetch https://my.own.chartmuseum.example.com/index.yaml : 401 Unauthorized

will be shown.

This still works in version 2.0.5.

After removing the trailing slash from “https://my.own.chartmuseum.example.com/” the ArgoCD application can be synced again.

+1
thirdeyenick on Feb 18, 2022
Read more comments on GitHub
← argo-cd: argocd ha via helm: UI returns 404 page not found
argo-cd: argocd login just hangs on 2.4.0 →