argo-cd: Error accumulating resources when using a plugin and overlays points to another repo

Checklist:

  • I’ve searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
  • I’ve included steps to reproduce the bug.
  • I’ve pasted the output of argocd version.

Describe the bug

I have the successfully setup a plugin called argocd-vault-plugin and am using it with AWS Secrets and this is true when my Kustomize files all live in the same repo.

Following is the configManagementPlugin section, where you can see the first step is just to run kustomize build . before being passed into the vault plugin.

---
data:
  configManagementPlugins: |
    - name: argocd-vault-plugin
      generate:
        command: ["argocd-vault-plugin"]
        args: ["generate", "./"]
    - name: argocd-vault-plugin-kustomize
      generate:
        command: ["sh", "-c"]
        args: ["kustomize build . | argocd-vault-plugin generate -"]

I have an application where the overlays are in the same repo but within the overlays kustomization the resources point to another repo. This works fine without the plugin as I have added both repositories to Argocd so it can authenticate and pull the necessary files. Also builds fine locally when I run kustomize build path/to/app

Application implemented with the argocd-vault-plugin-kustomize

  source:
    path: overlays/in/this/repo
    repoURL: https://github.com/repo.git
    targetRevision: main
    plugin:
      name: argocd-vault-plugin-kustomize

When I implement the plugin i then get

rpc error: code = Unknown desc = Manifest generation error (cached): `bash -c kustomize build . | argocd-vault-plugin generate -` failed exit status 1: Error: accumulating resources accumulation err='accumulating resources from 'https://github.com/a_different_repo.git/base': URL is a git repository': git cmd = '/usr/bin/git fetch --depth=1 origin HEAD': exit status 128 Error: No manifests

I believe it is down to the authentication not being used so it is not able to pull the other repo

Example kustomization.yaml file in overlays

---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

images:
- name: docker-image
  newName: name
  newTag: tag

resources:
  - https://github.com/a_different_repo.git/base

To Reproduce

Add a path to another repo in the resources section of the kustomization.yaml file Add a plugin to the application sepc Try and deploy the app

Expected behavior

For the app to build like it does when the plugin is not used

Version

argocd: v2.0.4+0842d44.dirty
  BuildDate: 2021-06-23T06:31:09Z
  GitCommit: 0842d448107eb1397b251e63ec4d4bc1b4efdd6e
  GitTreeState: dirty
  GoVersion: go1.16.5
  Compiler: gc
  Platform: darwin/amd64
argocd-server: v2.3.2+ecc2af9
  BuildDate: 2022-03-23T00:40:57Z
  GitCommit: ecc2af9dcaa12975e654cde8cbbeaffbb315f75c
  GitTreeState: clean
  GoVersion: go1.17.6
  Compiler: gc
  Platform: linux/amd64
  Ksonnet Version: v0.13.1
  Kustomize Version: v4.4.1 2021-11-11T23:36:27Z
  Helm Version: v3.8.0+gd141386
  Kubectl Version: v0.23.1
  Jsonnet Version: v0.18.0

About this issue

  • Original URL
  • State: open
  • Created 2 years ago
  • Reactions: 7
  • Comments: 28 (6 by maintainers)

Most upvoted comments

I’m attempting to get the vault plugin working with a Kustomize application and I believe I’m running into this as well. I’m trying to understand the scope of the issue to determine if it’s a dealbreaker.

From the docs:

Sidecar plugin

This is a good option for a more complex plugin that would clutter the Argo CD ConfigMap. A copy of the repository is sent to the sidecar container as a tarball and processed individually per application.

Also from the docs:

generate:
  command:
    - sh
    - "-c"
    - "kustomize build . | argocd-vault-plugin generate -"

Needing to run kustomize build inside the plugin means that “A copy of the repository is sent to the sidecar container as a tarball” is technically true, but it’s not sufficient if there are any resources defined in another repository as they’ll have to be resolved from inside the sidecar. And whatever magic the repo server normally does to supply credentials defined in credentialTemplates doesn’t work in plugin sidecars. Is that accurate?

Is there any way to run the kustomize build inside of the repo server and pass the output to the sidecar instead?