Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can this provider use an ED25519 key as a deploy key to talk to a repo? #385

Open
Vermyndax opened this issue Apr 2, 2024 · 4 comments
Open
Labels
needs-more-info Waiting on additional information from issue/PR reporter. question Further information is requested

Comments

@Vermyndax
Copy link

Terraform Version, ArgoCD Provider Version and ArgoCD Version

Terraform version: 1.7.5
ArgoCD provider version: 6.1.1
ArgoCD version: v2.10.2+fcf5d8c.dirty

Terraform configuration

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~>3.0"
    }
    argocd = {
      source  = "oboukili/argocd"
      version = "~>6.1.1"
    }
  }
}

provider "argocd" {
  port_forward = true
  kubernetes {
    host                   = azurerm_kubernetes_cluster.aks-argocd.kube_config.0.host
    client_certificate     = base64decode(azurerm_kubernetes_cluster.aks-argocd.kube_config.0.client_certificate)
    client_key             = base64decode(azurerm_kubernetes_cluster.aks-argocd.kube_config.0.client_key)
    cluster_ca_certificate = base64decode(azurerm_kubernetes_cluster.aks-argocd.kube_config.0.cluster_ca_certificate)
  }
}

resource "argocd_repository" "helm_charts" {
  repo            = "[email protected]:omitted/omitted.git"
  username        = "git"
  ssh_private_key = var.helm_charts_private_key
  insecure        = true
}

var.helm_charts_private_key does not have a default value. It is supplied during GitHub Actions from a GitHub Secret.

Question

I'm trying to use an ed25519 deploy key for ssh access to the repository. The key exists in the "deploy keys" portion of the repository already. I'm trying to configure our ArgoCD cluster via the provider to talk to the repo. I've supplied the ed25519 private key into GitHub Secrets and verified that the value is being passed into the var.helm_charts_private_key variable.

Does the provider accept deploy keys as ed25519?

It seems when hitting the ParseSshKey method, openssh doesn't like it:

Error: ssh_private_key: invalid ssh private key: ssh: no key found

...during terraform plan step.

@Vermyndax Vermyndax added the question Further information is requested label Apr 2, 2024
@blevz
Copy link

blevz commented Sep 25, 2024

Any updates on this? We are able to deploy argocd with a key which fails to parse in the argocd terraform setup. This is blocking our effort to move our argocd bootstrap to terraform

@the-technat
Copy link
Collaborator

Let me take a look at it...

@the-technat
Copy link
Collaborator

the-technat commented Sep 28, 2024

I can reproduce the issue with the following procedure:

kind create cluster --name argocd
kubectl create namespace argocd
kubectl apply -f https://github.com/argoproj/argo-cd/raw/refs/tags/v2.12.4/manifests/install.yaml -n argocd
ssh-keygen -t ed25519 -C "Argo CD Testing"

Using this terraform snippet:

terraform {
  required_providers {
    argocd = {
      source  = "oboukili/argocd"
      version = "6.1.1"
    }
  }
}

variable "ssh_key" {
  type = string
  description = "PEM encoded ssh key to use"
}

variable "argocd_password" {
  type = string
  description = "Argo CD Admin password"
}

provider "argocd" {
  port_forward_with_namespace = "argocd"
  username = "admin"
  password = var.argocd_password
  kubernetes {
    config_context = "kind-argocd"
  }
}

resource "argocd_repository" "test_repo" {
  repo            = "[email protected]:the-technat/the-technat.git"
  username        = "git"
  ssh_private_key = var.ssh_key
  insecure        = true
}

And then running:

export TF_VAR_argocd_password="$(kubectl -n argocd get secrets argocd-initial-admin-secret -o jsonpath='{.data.password}' | base64 -d)"
export TF_VAR_ssh_key="<ed25519 private key>"
terraform init
terraform apply -auto-approve

The following points have been observed:

  • With an RSA key, the provider throws an error when trying to verify if the ssh key is valid (which he's not)
  • With an ED25519 key, the provider immediately throws the error ssh_private_key: invalid ssh private key: ssh: no key found, without even trying to connect to the argocd api (e.g an invalid provider config could be specified) nor github to validate the key.

=> This must be an issue in the validate function of the ssh_key param. I can see that the used ParsePrivateKey function calls some other functions that might not support ED25519. But I'll have to investigate that further.

@the-technat
Copy link
Collaborator

Really strange, when I set the private key without "", it seems to work.

@Vermyndax can you validate in which format you set the variable for the private key and try to change something on the format? Maybe try setting the variable for your private key without quotation marks like so: export TF_VAR_ssh_key="$(cat ~/.ssh/id_ed25519)"?

@the-technat the-technat added the needs-more-info Waiting on additional information from issue/PR reporter. label Oct 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
needs-more-info Waiting on additional information from issue/PR reporter. question Further information is requested
Projects
None yet
Development

No branches or pull requests

3 participants