argo-cd: Private helm repo as dependency doesn't use creds

If you are trying to resolve an environment-specific issue or have a one-off question about the edge case that does not require a feature then please consider asking a question in argocd slack channel.

Checklist:

I’ve searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
I’ve included steps to reproduce the bug.
I’ve pasted the output of argocd version.

Describe the bug

Even if you add your private helm repository in repositories, argocd will try to add repo without passing credentials. I also tried to add repo manually from repo-server pod, doesn’t work.

My configuration:

% kubectl -nargocd get secret repo-110926157 -o yaml
apiVersion: v1
data:
  password: xxx
  type: Z2l0
  url: yyy
  username: TkNSRTd4UnpoaVZ3NjRGeS1qV3g=
kind: Secret
metadata:
  annotations:
    managed-by: argocd.argoproj.io
  creationTimestamp: "2021-12-04T00:28:50Z"
  labels:
    argocd.argoproj.io/secret-type: repository
  name: repo-110926157
  namespace: argocd
  resourceVersion: "6047703"
  uid: 7bb708fa-55a0-4553-9da6-b4c1c68d2a81
type: Opaque

% kubectl -nargocd get secret repo-2505203663 -o yaml
apiVersion: v1
data:
  name: dmlhLWdlbmVyaWM=
  password: xxx
  type: aGVsbQ==
  url: yyy
  username: TkNSRTd4UnpoaVZ3NjRGeS1qV3g=
kind: Secret
metadata:
  annotations:
    managed-by: argocd.argoproj.io
  creationTimestamp: "2021-12-04T00:29:24Z"
  labels:
    argocd.argoproj.io/secret-type: repository
  name: repo-2505203663
  namespace: argocd
  resourceVersion: "6047800"
  uid: 12cf7d91-c747-4842-8648-ca0fc7453b4f
type: Opaque

To Reproduce

Add your application with git-repository, where you store helm chart.
Chart.yaml must include dependency. The dependency is a chart from private repository
Using UI add credentials for your git repository and subchart repository
Try to deploy application Expected behavior

repo-server trying to add private helm repo passing user/pass credentials described in the UI.

Screenshots

Version

$ argocd version
argocd: v2.1.6+a346cf9
  BuildDate: 2021-10-28T19:59:40Z
  GitCommit: a346cf933e10d872eae26bff8e58c5e7ac40db25
  GitTreeState: clean
  GoVersion: go1.16.5
  Compiler: gc
  Platform: linux/amd64

Logs

time="2021-12-04T00:32:07Z" level=error msg="finished unary call with code Unknown" error="`helm repo add https://git.xxx.dev/api/v4/projects/474/packages/helm/stable https://git.xxx.dev/api/v4/projects/474/packages/helm/stable` failed exit status 1: Error: looks like \"https://git.xxx.dev/api/v4/projects/474/packages/helm/stable\" is not a valid chart repository or cannot be reached: failed to fetch https://git.xxx.dev/api/v4/projects/474/packages/helm/stable/index.yaml : 401 Unauthorized" grpc.code=Unknown grpc.method=GenerateManifest grpc.request.deadline="2021-12-04T00:33:05Z" grpc.service=repository.RepoServerService grpc.start_time="2021-12-04T00:32:05Z" grpc.time_ms=1522.96 span.kind=server system=grpc

About this issue

Original URL
State: closed
Created 3 years ago
Comments: 41 (3 by maintainers)

Most upvoted comments

We now added a name property to the stringData of the secret which is the same as the name of the secret itself, and it works! Thank you very much!

mamjong on Feb 3, 2022

I’m also experiencing this issue.

Argocd version: 2.2.5

My repository secret is as follows:

apiVersion: v1
kind: Secret
metadata:
  name: helm-chart-repo
  namespace: argocd
  labels:
    argocd.argoproj.io/secret-type: repository
stringData:
  name: mydomain
  url: https://charts.mydomain.com
  type: helm
  username: blah
  password: blah

my Chart.yaml is as follows

apiVersion: v2
name: project
type: application
version: 0.0.0
dependencies:
  - name: project
    version: 1.0.0
    repository: https://charts.mydomain.com

and my argo app:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: project-demo
  namespace: argocd
spec:
  destination:
    server: "https://kubernetes.default.svc"
  source:
    path: clusters/project
    repoURL: ssh://git@github.com/charts.git
    targetRevision: master
  project: project

When deploying with argo I get this error: rpc error: code = Unknown desc = helm repo add https://charts.mydomain.com https://charts.mydomain.com failed exit status 1: Error: looks like "https://charts.mydomain.com" is not a valid chart repository or cannot be reached: failed to fetch https://charts.mydomain.com/index.yaml : 401 Unauthorized

Can this issue be reopened?

TSASM on Mar 8, 2022

I’m using something like

apiVersion: v1
kind: Secret
metadata:
  name: oci-repository
  namespace: argocd
  labels:
    argocd.argoproj.io/secret-type: repository
type: Opaque
stringData:
  name: oci-repository
  url: <subdomain>.azurecr.io
  type: 'helm'
  enableOCI: 'true'
  username: <username>
  password: <password>

mcjhknauf on Feb 3, 2022

I found this issue in Argo v2.6.7 with Project and RBAC configured.

My 2c in case it helps:

Add TLS certificate (if needed, it is in my case).
Add repository of type Helm. I added it by creating a Kubernetes secret.

kind: Secret
apiVersion: v1
metadata:
  name: repo-helm
  namespace: argocd
  labels:
    argocd.argoproj.io/secret-type: repository
data:
  name: repo-helm | base64
  password: secretPassword | base64
  project: Argo Project | base64
  type: helm | base64
  url: https://$URL/ | base64
  username: botusername | base64
type: Opaque

Since I’m using an Argo Project and RBAC, I added the repo URL to Source Repositories. The repo URL must contain the slash “/” at the end of the URL.

apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
.....
  sourceRepos:
    - >-
      https://$URL/
...

fperearodriguez on Aug 1, 2023

In my case I have a “*”, but if some repository is already present, the OCI one need to be added.

@mcjhknauf @ocraviotto We have the following project configuration:

As you can see we have the asterisk wildcard for the source and scoped repositories.

mamjong on Feb 3, 2022

I found the error. As often Layer 8 😉 The helm repo wasn’t allowed in the project as a source repo 🤦‍♂️ https://github.com/argoproj/argo-cd/issues/7757

daydy16 on Apr 19, 2022

Same with v2.1.6, subcharts and artifactory

daydy16 on Apr 19, 2022

2.2.5 as well, still getting 401…

edit: tried with both old-style Helm repository and OCI one. Result is the same.

er1z on Apr 2, 2022