Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple repo credentials for identical repo URLs can cause problems #16831

Closed
3 tasks done
doxsch opened this issue Jan 11, 2024 · 0 comments · Fixed by #16833
Closed
3 tasks done

Multiple repo credentials for identical repo URLs can cause problems #16831

doxsch opened this issue Jan 11, 2024 · 0 comments · Fixed by #16833
Labels
bug Something isn't working

Comments

@doxsch
Copy link
Contributor

doxsch commented Jan 11, 2024

Checklist:

  • I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
  • I've included steps to reproduce the bug.
  • I've pasted the output of argocd version.

Describe the bug

We had mistakenly configured two ssh repo credentials (credential templates) for the same repo url during a migration. However, these did not have the same rights. One of the two credentials only had access to our test repos whereas the other was the correct one. As a result, the wrong credential was sometimes used to check the repos, which understandably led to errors. Finding this was not trivial, as the errors occurred only sporadically and very randomly.

To Reproduce

  • Add two repo credentials that have the identical repo url but different permissions on the repos
  • Add multiple repositories and applications that correspond to the different permissions
  • You will see that the health status of the apps will flicker

Expected behavior

Without having looked at the implementation details, we thought that the default ssh behavior should apply. This means that all available keys are tried until the operation is successful. We think that this would also be the best behavior.

As the implementation does not appear to be entirely trivial, we would welcome it if the behavior could be logged. If two repo credentials (credential templates) with the identical repo url are present we should see a warning in the logs. We don't currently see a use case when this would be useful as the credentials are chosen randomly: https://github.com/argoproj/argo-cd/blob/master/util/db/repository_secrets.go#L473C36-L473C36

Version

argocd version
argocd: v2.8.4+c279299
  BuildDate: 2023-09-13T19:12:09Z
  GitCommit: c27929928104dc37b937764baf65f38b78930e59
  GitTreeState: clean
  GoVersion: go1.20.6
  Compiler: gc
  Platform: linux/amd64
argocd-server: v2.8.4+c279299
  BuildDate: 2023-09-13T19:12:09Z
  GitCommit: c27929928104dc37b937764baf65f38b78930e59
  GitTreeState: clean
  GoVersion: go1.20.6
  Compiler: gc
  Platform: linux/amd64
  KustomizeVersion: v5.1.0 2023-06-19T16:58:18Z
  HelmVersion: v3.12.1+gf32a527
  KubectlVersion: v0.24.2
  JsonnetVersion: v0.20.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: log warning if multiple repo credentials found for same repo URL (#16831) doxsch/argo-cd
1 participant
@doxsch