argo-cd: Error accumulating resources when using a plugin and overlays points to another repo
Checklist:
- I’ve searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
- I’ve included steps to reproduce the bug.
- I’ve pasted the output of
argocd version
.
Describe the bug
I have the successfully setup a plugin called argocd-vault-plugin and am using it with AWS Secrets and this is true when my Kustomize files all live in the same repo.
Following is the configManagementPlugin section, where you can see the first step is just to run kustomize build .
before being passed into the vault plugin.
---
data:
configManagementPlugins: |
- name: argocd-vault-plugin
generate:
command: ["argocd-vault-plugin"]
args: ["generate", "./"]
- name: argocd-vault-plugin-kustomize
generate:
command: ["sh", "-c"]
args: ["kustomize build . | argocd-vault-plugin generate -"]
I have an application where the overlays are in the same repo but within the overlays kustomization the resources point to another repo. This works fine without the plugin as I have added both repositories to Argocd so it can authenticate and pull the necessary files. Also builds fine locally when I run kustomize build path/to/app
Application implemented with the argocd-vault-plugin-kustomize
source:
path: overlays/in/this/repo
repoURL: https://github.com/repo.git
targetRevision: main
plugin:
name: argocd-vault-plugin-kustomize
When I implement the plugin i then get
rpc error: code = Unknown desc = Manifest generation error (cached): `bash -c kustomize build . | argocd-vault-plugin generate -` failed exit status 1: Error: accumulating resources accumulation err='accumulating resources from 'https://github.com/a_different_repo.git/base': URL is a git repository': git cmd = '/usr/bin/git fetch --depth=1 origin HEAD': exit status 128 Error: No manifests
I believe it is down to the authentication not being used so it is not able to pull the other repo
Example kustomization.yaml file in overlays
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
images:
- name: docker-image
newName: name
newTag: tag
resources:
- https://github.com/a_different_repo.git/base
To Reproduce
Add a path to another repo in the resources section of the kustomization.yaml
file
Add a plugin to the application sepc
Try and deploy the app
Expected behavior
For the app to build like it does when the plugin is not used
Version
argocd: v2.0.4+0842d44.dirty
BuildDate: 2021-06-23T06:31:09Z
GitCommit: 0842d448107eb1397b251e63ec4d4bc1b4efdd6e
GitTreeState: dirty
GoVersion: go1.16.5
Compiler: gc
Platform: darwin/amd64
argocd-server: v2.3.2+ecc2af9
BuildDate: 2022-03-23T00:40:57Z
GitCommit: ecc2af9dcaa12975e654cde8cbbeaffbb315f75c
GitTreeState: clean
GoVersion: go1.17.6
Compiler: gc
Platform: linux/amd64
Ksonnet Version: v0.13.1
Kustomize Version: v4.4.1 2021-11-11T23:36:27Z
Helm Version: v3.8.0+gd141386
Kubectl Version: v0.23.1
Jsonnet Version: v0.18.0
About this issue
- Original URL
- State: open
- Created 2 years ago
- Reactions: 7
- Comments: 28 (6 by maintainers)
I’m attempting to get the vault plugin working with a Kustomize application and I believe I’m running into this as well. I’m trying to understand the scope of the issue to determine if it’s a dealbreaker.
From the docs:
Also from the docs:
Needing to run
kustomize build
inside the plugin means that “A copy of the repository is sent to the sidecar container as a tarball” is technically true, but it’s not sufficient if there are any resources defined in another repository as they’ll have to be resolved from inside the sidecar. And whatever magic the repo server normally does to supply credentials defined incredentialTemplates
doesn’t work in plugin sidecars. Is that accurate?Is there any way to run the kustomize build inside of the repo server and pass the output to the sidecar instead?