Fix ArgoCD CodeCommit credential-helper guidance (issue #149)#150
Merged
simlarsen merged 1 commit intoJun 25, 2026
Merged
Conversation
ArgoCD never invokes the configured git credential helper because: 1. The post mounted the gitconfig at /home/argocd/.gitconfig, but ArgoCD runs git with HOME=/dev/null so per-user config is never read; it must be the system config at /etc/gitconfig. 2. ArgoCD authenticates via GIT_ASKPASS fed from repo/repo-creds Secrets, not via an on-disk credential.helper. With no matching Secret it sends no credentials, so git fails non-interactively and CodeCommit returns 'authentication required ... SPNEGO token required'. Changes to posts/2026-02-26-argocd-aws-codecommit-credentials: - Rewrite Method 3 (IRSA): explain ArgoCD's HOME=/dev/null + askpass model, correct the mount to /etc/gitconfig, list the real prerequisites (aws CLI in the image, IRSA on repo-server SA, no conflicting repo-creds Secret), and note it is undocumented/unsupported upstream. - Add Method 4: IRSA credential-refresh CronJob that writes a repo-creds Secret (recommended, fully supported), plus the AWS-managed EKS option. - Reframe the intro so Method 3 is not presented as flatly 'best'. - Add a Troubleshooting entry for the 'SPNEGO token required' failure mode. - Update validation-summary.md and bump validatedAt.
Contributor
Author
|
Reviewed and verified the technical claims against primary sources before merging:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #149.
A reader reported that ArgoCD never invokes the AWS CodeCommit credential helper documented in Method 3 of
posts/2026-02-26-argocd-aws-codecommit-credentials, even thoughaws codecommit credential-helperandgit ls-remotework when run manually inside the repo-server container. They were right — the article's Method 3 was wrong on two counts (verified against the ArgoCD source, the ArgoCD docs, and the git docs):/home/argocd/.gitconfig, but ArgoCD's repo-server runs git withHOME=/dev/null, so a per-user config is never read. ArgoCD's docs say this verbatim: "Argo CD runs Git with the HOME environment variable set to /dev/null. As a result, global Git configuration is not supported." System config at/etc/gitconfigis the only honored location. (This also contradicted our own sibling article on Git credential caching, which already documents/etc/gitconfig.)credential.helper. It feeds credentials from matchingrepo/repo-credsSecrets into git throughGIT_ASKPASS. For a repo with no matching Secret (the IRSA-only case), it supplies no credentials at all, so git fails non-interactively and CodeCommit returns exactly the reportedauthentication required ... SPNEGO token required.Changes
HOME=/dev/null+ askpass model, correct the mount to/etc/gitconfig(withsubPath: gitconfig), and list the real prerequisites the post previously omitted: theawsCLI must be in the repo-server image, IRSA must be on the repo-server service account, and there must be no conflictingrepo-credsSecret (otherwise askpass short-circuits the helper). Flagged that this path is undocumented/unsupported upstream.repo-credsSecret — the recommended, fully supported IRSA pattern — plus a pointer to the AWS-managed EKS ArgoCD capability.SPNEGO token requiredfailure mode with a concrete checklist.validation-summary.mdand bumpedvalidatedAt.Validation
npm run validatepasses (exit 0); no other posts affected.