OCI credentials not passed to repo-server for Git-sourced applications with OCI Helm dependencies #26311
Description
Checklist:
- I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
- I've included steps to reproduce the bug.
- I've pasted the output of
argocd version.
Describe the bug
When an ArgoCD Application uses a Git repository as its source containing a Helm chart with OCI registry dependencies defined in Chart.yaml, the helm dependency build command fails with a 403 Forbidden error, even though the OCI registry credentials are correctly configured in ArgoCD.
To Reproduce
-
Set up a private OCI Helm chart registry (e.g., GitLab Container Registry, Harbor, etc.)
-
Push a Helm chart to the OCI registry:
helm push my-chart-0.1.0.tgz oci://registry.example.com/my-org/charts
-
Create a Git repository with a Helm chart that has an OCI dependency in
Chart.yaml:apiVersion: v2 name: my-app version: "0.1.0" dependencies: - name: my-chart repository: oci://registry.example.com/my-org/charts version: "0.1.0"
-
Configure an OCI repository secret in ArgoCD:
apiVersion: v1 kind: Secret metadata: name: oci-registry-credentials namespace: argocd labels: argocd.argoproj.io/secret-type: repository type: Opaque stringData: enableOCI: "true" type: helm url: registry.example.com/my-org/charts username: my-user password: my-token
-
Verify the credentials work directly:
# This should succeed curl -u "my-user:my-token" "https://registry.example.com/v2/my-org/charts/my-chart/manifests/0.1.0"
-
Create an ArgoCD Application pointing to the Git repository:
apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: my-app namespace: argocd spec: source: repoURL: https://github.com/my-org/my-repo.git path: charts/my-app targetRevision: main destination: server: https://kubernetes.default.svc namespace: my-namespace
-
Sync the application - it will fail with a
ComparisonError
Expected behavior
ArgoCD should pass OCI repository credentials to the repo-server for any application that might need them (not just OCI-sourced applications), so that helm dependency build can authenticate to private OCI registries when resolving dependencies.
Applications using Git sources with Helm charts that have OCI dependencies should work the same as applications using OCI sources directly.
Screenshots
N/A
Version
argocd: v2.14.0+4e11671.dirty
BuildDate: 2025-01-14T16:07:26Z
GitCommit: 4e116711754f6922ec70460da955ae54fd0d1911
GitTreeState: dirty
GoVersion: go1.23.4
Compiler: gc
Platform: linux/amd64
FIPS mode: disabled
argocd-server: v2.14.0+4e11671
BuildDate: 2025-01-14T14:58:25Z
GitCommit: 4e116711754f6922ec70460da955ae54fd0d1911
GitTreeState: clean
GoVersion: go1.23.4
Compiler: gc
Platform: linux/amd64
Kustomize Version: v5.4.3 2024-07-19T16:40:33Z
Helm Version: v3.16.3+g3442645
Kubectl Version: v0.31.3
Jsonnet Version: v0.20.0
FIPS mode: disabledLogs
ComparisonError: Failed to load target state: failed to generate manifest for source 1 of 1: rpc error: code = Unknown desc = Manifest generation error (cached): error building helm chart dependencies: failed to build helm dependencies: failed to build dependencies: failed to get command args to log: `helm dependency build` failed exit status 1: Error: could not download oci://registry.example.com/my-org/charts/my-chart: failed to perform "FetchReference" on source: GET "https://registry.example.com/v2/my-org/charts/my-chart/manifests/0.1.0": GET "https://registry.example.com/jwt/auth?scope=repository%3Amy-org%2Fcharts%2Fmy-chart%3Apull&service=container_registry": response status code 403: denied: access forbidden