Authentication Failure with Git Artifacts Inputs

[tacf]

Checklist

• Double-checked my configuration.
• Tested using the latest version.
• Used the Emissary executor.

Summary

What happened/what you expected to happen?

Using git artifacts as input throws 'authentication error' in latest version. This started happening last week with local setup that i was testing. The solution was to move to the comunity helm chart (i wasn't able to easily bump down the controller version without additional weird errors) and forcing controller to version 'v3.3.1' instead of latest.

During the whole process nothing was changed with PAT or it's access to the repo. The same PAT used (and which worked) and te beginning, stopped working and then worked again after the downgrade to older container version.

What version are you running?

I'm runing the quick postgress example in the docs. Kubernetes v1.19.16

Diagnostics

1. Create a valida PAT on github
2. Configure simple workflow that inputs with PAT from that repo

Please let me know what other details i can provide ir order to allow for reproducibility.

Message from the maintainers:

Impacted by this bug? Give it a 👍. We prioritise the issues with the most 👍.

[alexec]

Do not run :latest except for development. It is the bleeding edge. This is most likely caused by #7486 .

[alexec]

I don't have enough information it this PR to reproduce the issue. I know you cannot share your PAT. Instead, what about spending 30m on a Zoom?

https://bit.ly/book-30m-with-argo-team

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If this is a mentoring request, please provide an update here. Thank you for your contributions.

[mgoodness]

I'm getting this with :latest as well, when git.revision is a specific commit hash. See also this comment from @auswells.

[alexec]

The bug is in this line of code:

argo-workflows/workflow/artifacts/git/git.go

Line 155 in 16fef4e

if err := r.Fetch(&git.FetchOptions{RefSpecs: refspecs}); isFetchErr(err) {

It is missing auth. It should look more like this:

argo-workflows/workflow/artifacts/git/git.go

Line 137 in 16fef4e

opts := &git.FetchOptions{Auth: auth, RefSpecs: refSpecs, Depth: depth}

@mgoodness would you like to submit a PR to fix?

[mgoodness]

Woot! Sure, PR incoming.

[yeongsheng-tan]

I'm still getting the error on argo-workflows master branch from commit hash 61211f9d. Plus singleBranch with branch throws workflow json error:

❯ argo submit -n argo --watch ms-auth-git.yaml
FATA[2022-06-30T22:49:51.704Z] Failed to parse workflow: json: unknown field "branch"

My workflow is a modified version from input-artifact-git.yaml

apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
  generateName: ms-auth-git-
spec:
  entrypoint: git-clone
  templates:
  - name: git-clone
    inputs:
      artifacts:
      - name: ms-auth-source
        path: /src
        git:
          repo: https://gitlab.com/yeong.sheng1/ms-auth.git
          usernameSecret:
            name: gitlab-access
            key: username
          passwordSecret:
            name: gitlab-access
            key: password
          singleBranch: true
          branch: "develop"
    container:
      image: alpine/git:latest
      command: [sh, -c]
      args: ["git status && ls && cat README.md"]
      workingDir: /src

[Dbraum]

I also get the same error ,the workflow

apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
  generateName: input-artifact-git-
spec:
  entrypoint: git-clone
  templates:
  - name: git-clone
    inputs:
      artifacts:
      - name: argo-source
        path: /src
        git:
          repo: https://github.com/argoproj/argo-workflows.git
          # revision: "v2.1.1"
          singleBranch: true
          branch: "master"
          # branch: "main"
          # For private repositories, create a k8s secret containing the git credentials and
          # reference the secret keys in the secret selectors: usernameSecret, passwordSecret,
          # or sshPrivateKeySecret.
          # NOTE: when authenticating via sshPrivateKeySecret, the repo URL should supplied in its
          # SSH format (e.g. git@github.com:argoproj/argo-workflows.git). Similarly, when authenticating via
          # basic auth, the URL should be in its HTTP form (e.g. https://github.com/argoproj/argo-workflows.git)
          # usernameSecret:
          #   name: github-creds
          #   key: username
          # passwordSecret:
          #   name: github-creds
          #   key: password
          # sshPrivateKeySecret:
          #   name: github-creds
          #   key: ssh-private-key
          # 
          # insecureIgnoreHostKey disables SSH strict host key checking during the git clone
          # NOTE: this is unnecessary for the well-known public SSH keys from the major git
          # providers (github, bitbucket, gitlab, azure) as these keys are already baked into
          # the executor image which performs the clone.
          # insecureIgnoreHostKey: true
          #
          # Shallow clones/fetches can be performed by providing a `depth`.
          # depth: 1
          #
          # Additional ref specs to fetch down prior to checkout can be
          # provided with `fetch`. This may be necessary if `revision` is a
          # non-branch/-tag ref and thus not covered by git's default fetch.
          # See https://git-scm.com/book/en/v2/Git-Internals-The-Refspec for
          # the refspec format.
          # fetch: refs/meta/*
          # fetch: refs/changes/*
          #
          # Single branch mode can be specified by providing a `singleBranch` and `branch` This mode 
          # is faster than passing in a revision, as it will only fetch the references to the given branch.
          
    container:
      image: golang:1.10
      command: [sh, -c]
      args: ["git status && ls && cat VERSION"]
      workingDir: /src

[ghost]

Same here

  argo: v3.3.9+5db53aa.dirty
  BuildDate: 2022-08-10T02:08:30Z
  GitCommit: 5db53aa0ca54e51ca69053e1d3272e37064559d7
  GitTreeState: dirty
  GitTag: v3.3.9
  GoVersion: go1.19
  Compiler: gc
  Platform: darwin/amd64