ArgoCD Repo Server stops pulling git repositories due to Azure Devops Repos current sunset SSH-RSA strategy #17634
Comments
|
We are having the same issue and currently can't sync our applications anymore. Any progress on this? |
+1 |
|
My understanding is that this isn't an issue with golang's crypto library. Rather it has to do with the hash algorithms ssh accepts in Ubuntu 22.04 (the version Argo CD images are built on). It looks like Ubuntu 22.04 does support the listed algorithms (based on this guide), but maybe neither algorithm is enabled by default in the handshake. You might have to explicitly enable that host key algorithm. |
|
I'm not too familiar with all the internal workings of SSH, but would it be a solution to change the known_hosts entry for azure devops to: I've changed this within my setup using |
|
I'm now testing with an explicit deny for ssh-rsa in the ssh config of the repo server, the opposite of what is described here; https://argo-cd.readthedocs.io/en/stable/operator-manual/upgrading/2.1-2.2/#workaround I suspect that the ssh will work without any config changes once Microsoft is done with the brownout period. It probably currently fails because they still expose the ssh-rsa signature key as 'valid' from their side during brownouts. |
|
|
|
My previous 'workaround' doesn't work, sadly. Is Disabling the server verification doesn't sit well with me either, so I hope there is some other solution. |
Do you encounter issue pulling git repositories directly on the host machine? |
I haven't tested this, but I can at least say that the config is used with a regular |
|
For my case,
Hope it helps. |
|
I can confirm what is being mentioned here. During the microsoft brownouts, we are able to work locally with Azure Devops GIT using SSH keys, however all of our argo instances fail to connect citing the error mentioned above. |
|
We just got into this issue right now.
Hope this helps as a temporal workaround. |
This seems to work for us. Change the SSH key to sha2_512. Kustomize Patch for the Repo Server: apiVersion: apps/v1
kind: Deployment
metadata:
name: argocd-repo-server
spec:
template:
spec:
containers:
- name: argocd-repo-server
volumeMounts:
- mountPath: /home/argocd/.ssh
name: argo-server-ssh-config
volumes:
- name: argo-server-ssh-config
configMap:
name: argo-server-ssh-configConfigMap for the ssh-config: apiVersion: v1
kind: ConfigMap
metadata:
name: argo-server-ssh-config
data:
config: |
Host *
HostkeyAlgorithms -ssh-rsa
PubkeyAcceptedAlgorithms -ssh-rsaNote: It is possible that this just worked because the brownout ended. |
|
@maxkaemmerer @AleksuKey How long ago did you test this? Note that the brownout has ended so it is possible that this is the reason it now works, instead of the fixes actually working. Neither of these two fixes worked for us.
This works because you are no longer verifying SSL, so ArgoCD is ignoring SSL errors. This is not an appropriate fix, and I would not even suggest it as a workaround for production systems. |
About five minutes before I wrote the comment. During the last brownout we tested it with a sha2-512 key and had other errors which do not appear with the approach I commented above. (I do not remember the exact wording on those other errors) We are also very hesitant to add the --insecure flag. This is not my area expertise. We just tried the approach with the ssh-config and that seems to have worked, hoping it works for others as well until a proper fix is found. We are on ArgoCD version v2.10.6 btw. |
|
On the ArgoCD 2.8.4 version rsa-sha2-256 is working, but the important thing to check - is in the k8s secret with sshPrivateKey for Azure DevOps if appropriately put the new lines, because when we put this private key in the Azure Key Vault as a secret then "-----END OPENSSH PRIVATE KEY-----" part was not in the new line but it was as a part of the key. After fixing this, ArgoCD can sync properly with Azure DevOps repos. |
We have this config since a few weeks ago. I would expect you will see the errors appearing again during the next brownout period. :-/ |
For our environments the brownout seems to have ended at about 10AM CEST (2 hours ago) so it could very well be that you unfortunately were testing after the brownout. I've been looking through the code, it looks to me like the Line 75 in 4d527f8 This makes sense, because this path is also where the argocd-ssh-known-hosts-cm is mounted by the argocd helm chart: - mountPath: /app/config/ssh
name: ssh-known-hostsSo it seems to me like we should extend the |
Probably the same happened to us and that's why we saw it solved... |
We had a syntax error in the ssh-config mounted at /home/argocd/.ssh/config and that error showed up in the Argo UI, so I'd assume it is being used. Very possible that we tested after the brownout however. |
|
I did some testing yesterday and believe the issue might be in Argo. It seems like the git implementation used in argo does some parts with the Go user agent and some with the OpenSSH user agent. To check which of the 2 processes is using the wrong signature I used the reposerver container to manually do a git fetch (uses OpenSSH user agent) with extra verbosity. ( This results in the following (removed a lot of content that is not ): It shows that it uses rsa-sha2-512, and thus should work with Azure DevOps during the brownouts and after the removal of ssh-rsa, but since we have not seen any other brownouts I could not run this during brownout. While for Github the issue was to use an elliptic key, this should be fixed in argo or the go-git client. |
We are having issues again today, so it seems like this did not infact resolve
We are having issues again today so it seems like it just worked for us because the brownout had ended |
|
Looks like the brownout is over again... |
|
Joining this thread as we also just recently regenerated our SSH key as Microsoft advised but then during the next brownout observed the issue. Reading through this I'm not certain we've identified a solution or if we need one (aka once ADO kill ssh-rsa it just works)... Anyone considered using HTTPS? Any pros or cons I should be aware of over SSH? I'm guess SSH security is considered better asymmetric crypto versus a PAT based http basic auth? Anything else? |
|
https://devblogs.microsoft.com/devops/ssh-rsa-deprecation/ According to their schedule the brownout times and lengths will increase to 8 and 12 hours per day in the next week(s). That will be very annoying to sit out and hope it will take the correct algorightm afterwards I just took a look at the code and have no idea how everything is wired together, but these parts look interesting: https://github.com/argoproj/argo-cd/blob/master/util/git/client.go#L267-L279 where the git ssh client is constructed I took a look in our reposerver with
which is what we defined as custom config. Nevertheless, we are getting the errors. Maybe we need a way to configure custom algorithms here? https://github.com/argoproj/argo-cd/blob/master/util/git/client.go#L267 |
|
@patst we are coming to the same conclusions by digging through the code and we hope to test this to confirm and hopefully submit a patch. |
Hi, I'm using ArgoCD v2.7.11 Thanks to @bartoszpyrek I managed to get this working by :
Public key is of form :
This worked fine 👌 Also, it seems there's no need to update know-hosts configuration, nor skip server verification Finally, I updated my secret which contains my SSH private key with the new one, also with the newline at the end, and restarted I manually deleted repositories which uses the old SSH key and let ArgoCD re-create them (ArgoCD manages itself its configuration, using App of App pattern) Now everything is fine, let's see if this works during next days... Good luck 🤞 |
|
@aurel4oxand let me guess you tested this somewhere in the last 40 minutes? The brownout is over :) |
|
In out stack, we use Argo CD to manage Argo CD. When I implemented the fix, Argo CD was failing with the main error, so I could not bump the version. I had to log onto k8s and manually bump the repo server version, after which, stuff appeared to work. I do however see today, that this appears to have been purely coincidental. I am continuing to try and resolve this, however today the brownouts appeared to be even more inconsistent with some fetches working and others not. Also, I am a complete noob when it comes to how GIT/SSH works when it comes to the transport, so learning alot. |
|
How do I reproduce the command that ArgoCD fires at Azure DevOps? Is I tried to reproduce a git operation that uses the ssh-rsa signature but I failed. It keeps defaulting to rsa-sha2-512. $env:GIT_SSH_COMMAND="ssh -vvv -i keyfile -o IdentitiesOnly=yes"
git pullresults in a verbose ssh log: Additionally I can confirm that any RSA key works irrespective of the |
|
@cveld enabling ssh-rsa in the ssh user config file should be more or less similar to what argocd does. Ie the inverse of this doc: https://learn.microsoft.com/en-us/azure/devops/repos/git/use-ssh-keys-to-authenticate?view=azure-devops#q-ssh-cannot-establish-a-connection-what-should-i-do You can't reproduce it by default with an ssh or git client because they disabled ssh-rsa in openssh 1-2 years go. It's not an exact reproduction because argocd does this in go code instead of using the native client but the approximation is close enough I think. |
|
@rouke-broersma thanks! I was able to reproduce the brown out with the following in |
|
I have multiple Argo CD clusters, on 1 cluster I am running some small changes, that 1 appears to not be experiencing brownouts while the other clusters are experiencing brownouts. The difference is the go-get version. I ran Will need to see whats in that change and deploy my fix to all environments to confirm... |
@rouke-broersma IMO I think initializing |
|
Ok, I believe I have traced down the root cause... |
Seems solid. It would break old implementations though but i assume that is ok since ssh-rsa is deprecated and dropped to start with. But only the ArgoCD maintainers can decide this if it not hits a BC or if they allow it and so on |
The issue is with HostKeyAlgorithms not KeyExchangeAlgoritms. The issue with an environment variable is that the nativeclient which is used for 90% of argocd git interaction would read from See confusion here for example: #17634 (comment) I think short term the update of the knownhosts library will fix this issue, but long term the differences between go-git and nativeclient need to be resolved because it seems like argocd maintainers also forget about these differences (understandable, but dangerous since it involves crypto and authentication). |
|
Thanks @zamedic - I've merged your PR. Before cherry-picking this change into supported release branches and putting out a fix release, can somebody confirm that this actually fixes the issue? For example, by running an image that's been built off the latest code (once the image has been built)? I do not have access to an Azure DevOps Git repository, unfortunately. |
|
Anyone inclined to test a build off the master branch with the fix included, the image is |
We're preparing our dev environment for testing this change. Unfortunately there is no brownout at the moment, so we will have to wait until Microsoft randomly turns on the brownout somewhere within the next 20 minutes to 2 hours. |
|
is this image also available as a helm chart? i could test it but my clusters have argo via helm chart installed |
You can overwrite the image in the helm chart: https://github.com/argoproj/argo-helm/blob/main/charts/argo-cd/values.yaml#L56 |
|
@jannfis I can confirm the fix addresses the issue for my reproduction case. I built the image from the PR branch, and was able to test it just before the most recent brown out ended. I had 2 separate namespace-scoped Argo CD instances targeting the same private Azure repo...
So presuming the brown out period is shared between them (no reason to think otherwise), I can no longer reproduce. |
The brownout is active... and we are no longer impacted 🎉 We're looking forward to the next Argo release! |
|
Thanks for testing, folks. I'll cut releases today. |
|
2.10.9 is out, 2.9.14 and 2.8.18 are being built and on their way. Please let us know if those new releases do not fix the issue for you. |
Fixes argoproj#17634 Signed-off-by: Enno Boland <g@s01.de>
|
We are waiting on a brownout to test in our dev environment (2.10.9) then move forward to qa and prod... I'll post an update as soon as I know if it works! We appreciate the hard work! |
All credits actually go to the people in this thread discussing their observations and potential causes, @zamedic who finally found the root cause and contributed a fix, and all those fine folks who tested it. The Argo community is just awesome ❤️ |
|
That's amazing, GG ! Any chance to get this fix applied to previous releases ? Thanks for this 🙏 |
You're running an EOL version of ArgoCD and will not receive this patch, you should change your upgrade processes to reflect this: https://argo-cd.readthedocs.io/en/stable/developer-guide/release-process-and-cadence/#patch-releases-eg-25x |
Thx, I should've check that 👍 |
|
Since I've not heard from folks still affected after upgrading, I'm going to close this issue for now. If anybody running 2.10.9, 2.9.14 or 2.8.18 (and higher) still encounter RSA-related issues with Azure DevOps, feel free to ping on this issue to have it re-opened. |
|
I had version v2.1.5 installed and couldn't resolve the issue despite following the recommendations provided here. Eventually, I upgraded to version v2.9.0+9cf0c69, but not before performing a backup and restore. For now, the problem has been resolved. |
and others
Hi all,
Microsoft published a blogpost Feb 15th 2024 to sunset the ssh-rsa support and wants to migrate to rsa-sha2-256/512.
Blog Post: https://devblogs.microsoft.com/devops/ssh-rsa-deprecation/
Based on their schedule everyone that still uses their service should be in Phase 2 where an throttling/delay is in place and an error is shown with following message.
“ssh-rsa is about to be deprecated and your request has been throttled. Please use rsa-sha2-256 or rsa-sha2-512 instead. Your session will continue automatically. For more details see https://devblogs.microsoft.com/devops/ssh-rsa-deprecation.”
This error is also shown within argo.
After searching a bit - it seems like that golang/crypto already support rsa-sha2-256/512 but sadly starting from v0.21.0.
(golang/crypto@6fad3dfc)
Argo seems to use v0.19.0
argo-cd/go.mod
Line 85 in 1bddee2
Also found a relevant issue in this regard: #7600
Checklist:
argocd version.Describe the bug
Argo is currently unable to pull git repositories provided by azure devops repos and stops after receives the delay error.
To Reproduce
Pull a repository from their service with a ssh key.
Expected behavior
Argo pulls changes or state from git repository.
Version
argocd@argocd-core-server-588df95858-5jcc7:~$ argocd version argocd: v2.9.3+6eba5be BuildDate: 2023-12-01T23:05:50Z GitCommit: 6eba5be864b7e031871ed7698f5233336dfe75c7 GitTreeState: clean GoVersion: go1.21.3 Compiler: gc Platform: linux/amd64Logs
Logs from repo-server:
The text was updated successfully, but these errors were encountered: