Skip to content

Fix ArgoCD CodeCommit credential-helper guidance (issue #149)#150

Merged
simlarsen merged 1 commit into
masterfrom
fix/argocd-codecommit-credential-helper-issue-149
Jun 25, 2026
Merged

Fix ArgoCD CodeCommit credential-helper guidance (issue #149)#150
simlarsen merged 1 commit into
masterfrom
fix/argocd-codecommit-credential-helper-issue-149

Conversation

@simlarsen

Copy link
Copy Markdown
Contributor

Summary

Fixes #149.

A reader reported that ArgoCD never invokes the AWS CodeCommit credential helper documented in Method 3 of posts/2026-02-26-argocd-aws-codecommit-credentials, even though aws codecommit credential-helper and git ls-remote work when run manually inside the repo-server container. They were right — the article's Method 3 was wrong on two counts (verified against the ArgoCD source, the ArgoCD docs, and the git docs):

  1. Wrong mount path. The gitconfig was mounted at /home/argocd/.gitconfig, but ArgoCD's repo-server runs git with HOME=/dev/null, so a per-user config is never read. ArgoCD's docs say this verbatim: "Argo CD runs Git with the HOME environment variable set to /dev/null. As a result, global Git configuration is not supported." System config at /etc/gitconfig is the only honored location. (This also contradicted our own sibling article on Git credential caching, which already documents /etc/gitconfig.)
  2. ArgoCD doesn't authenticate via credential.helper. It feeds credentials from matching repo/repo-creds Secrets into git through GIT_ASKPASS. For a repo with no matching Secret (the IRSA-only case), it supplies no credentials at all, so git fails non-interactively and CodeCommit returns exactly the reported authentication required ... SPNEGO token required.

Changes

  • Rewrote Method 3 (IRSA) to explain ArgoCD's HOME=/dev/null + askpass model, correct the mount to /etc/gitconfig (with subPath: gitconfig), and list the real prerequisites the post previously omitted: the aws CLI must be in the repo-server image, IRSA must be on the repo-server service account, and there must be no conflicting repo-creds Secret (otherwise askpass short-circuits the helper). Flagged that this path is undocumented/unsupported upstream.
  • Added Method 4: an IRSA credential-refresh CronJob that mints short-lived CodeCommit HTTPS credentials and writes them into a standard repo-creds Secret — the recommended, fully supported IRSA pattern — plus a pointer to the AWS-managed EKS ArgoCD capability.
  • Reframed the intro so Method 3 is no longer presented as flatly "best."
  • Added a Troubleshooting entry for the SPNEGO token required failure mode with a concrete checklist.
  • Updated validation-summary.md and bumped validatedAt.

Validation

npm run validate passes (exit 0); no other posts affected.

ArgoCD never invokes the configured git credential helper because:
1. The post mounted the gitconfig at /home/argocd/.gitconfig, but ArgoCD
   runs git with HOME=/dev/null so per-user config is never read; it must
   be the system config at /etc/gitconfig.
2. ArgoCD authenticates via GIT_ASKPASS fed from repo/repo-creds Secrets,
   not via an on-disk credential.helper. With no matching Secret it sends
   no credentials, so git fails non-interactively and CodeCommit returns
   'authentication required ... SPNEGO token required'.

Changes to posts/2026-02-26-argocd-aws-codecommit-credentials:
- Rewrite Method 3 (IRSA): explain ArgoCD's HOME=/dev/null + askpass model,
  correct the mount to /etc/gitconfig, list the real prerequisites (aws CLI
  in the image, IRSA on repo-server SA, no conflicting repo-creds Secret),
  and note it is undocumented/unsupported upstream.
- Add Method 4: IRSA credential-refresh CronJob that writes a repo-creds
  Secret (recommended, fully supported), plus the AWS-managed EKS option.
- Reframe the intro so Method 3 is not presented as flatly 'best'.
- Add a Troubleshooting entry for the 'SPNEGO token required' failure mode.
- Update validation-summary.md and bump validatedAt.
@simlarsen

Copy link
Copy Markdown
Contributor Author

Reviewed and verified the technical claims against primary sources before merging:

  • HOME=/dev/null — confirmed in ArgoCD's util/git/client.go (runCmdOutput sets HOME=/dev/null, GIT_TERMINAL_PROMPT=false) and stated explicitly in the ArgoCD git_configuration docs. So /home/argocd/.gitconfig is genuinely never read; /etc/gitconfig is correct.
  • askpass vs credential.helper — ArgoCD injects creds via GIT_ASKPASS (util/askpass/server.go); for an HTTPS repo with no matching Secret, GetGitCreds returns NopCreds{} (no env, no creds), which is why git fails non-interactively and CodeCommit returns SPNEGO token required. Note git itself consults credential.helper before askpass, so a helper at /etc/gitconfig is reachable only when no repo-creds Secret matches — that nuance is reflected in the rewrite.
  • Method 4 (CronJob → repo-creds Secret) is the community-confirmed working IRSA pattern and uses ArgoCD's first-class askpass path, so it doesn't depend on the unsupported fall-through behavior.

npm run validate passes. Methods 1 and 2 were already correct and are unchanged. Merging.

@simlarsen simlarsen merged commit 617207a into master Jun 25, 2026
2 checks passed
@simlarsen simlarsen deleted the fix/argocd-codecommit-credential-helper-issue-149 branch June 25, 2026 13:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

posts/2026-02-26-argocd-aws-codecommit-credentials - ArgoCD never invokes the configured Git credential helper

2 participants