New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Declarative helm repositories with missing secret causes all repositories in ArgoCD to lock (#3492) #5363
fix: Declarative helm repositories with missing secret causes all repositories in ArgoCD to lock (#3492) #5363
Conversation
Signed-off-by: Jan Graefen <223234+jangraefen@users.noreply.github.com>
Signed-off-by: Jan Graefen <223234+jangraefen@users.noreply.github.com>
Codecov Report
@@ Coverage Diff @@
## master #5363 +/- ##
==========================================
+ Coverage 40.92% 40.98% +0.06%
==========================================
Files 137 137
Lines 18562 18566 +4
==========================================
+ Hits 7596 7610 +14
+ Misses 9881 9876 -5
+ Partials 1085 1080 -5
Continue to review full report at Codecov.
|
Signed-off-by: Jan Graefen <223234+jangraefen@users.noreply.github.com>
Just logging the error will be a bad user experience, since it provides no direct feedback as before. Signed-off-by: Jan Graefen <223234+jangraefen@users.noreply.github.com>
I am especially interessted in feedback about my handling in the error case. Currently, if a secret cannot be resolved, the user sees no repositories at all, but gets an error that explains the cause: A missing secret. With my fix, the repository will have a connection state set to failed. I test for unintended site effects but could not find any, but I may be missing something? |
Signed-off-by: Jan Graefen <223234+jangraefen@users.noreply.github.com>
Hey @jangraefen, thank you for this awesome PR! Nice to see that you are actually increasing the test coverage, that is something much appreciated! As for feedback on your error handling: I like the fact that it's exposed as connection failure, but I think we should not expose the gory details to the user. That's probably more confusing than helping, and also provides some intimate details about the cluster assets that should not be exposed to prying eyes. So my proposal in this case would be, to set the reason of the connection failure to something along the lines |
Instead of displaying a technical error message that might expose critical information about the cluster, we only display a generic error message. The actual error is then logged to the server logged, so that an administrator can further drill down into the problem Signed-off-by: Jan Graefen <223234+jangraefen@users.noreply.github.com>
Thank you @jannfis for your feedback! My line of thinking was, that the actual error message was exposed before, so it would be nice to not have less information then before on the actual cause. I do however realize, that this information exposed just because of the very bug I fixed. Good catch! 👍 I changed the message to the one you proposed, with a "please" added, to be more polite :-). The logging is right below. |
Signed-off-by: Jan Graefen <223234+jangraefen@users.noreply.github.com>
Signed-off-by: Jan Graefen <223234+jangraefen@users.noreply.github.com>
Signed-off-by: Jan Graefen <223234+jangraefen@users.noreply.github.com>
Signed-off-by: Jan Graefen <223234+jangraefen@users.noreply.github.com>
Signed-off-by: Jan Graefen <223234+jangraefen@users.noreply.github.com>
This reverts commit a38ff65 Signed-off-by: Jan Graefen <223234+jangraefen@users.noreply.github.com>
@jannfis Can you maybe have a look? For some reason the CodeQL anaylsis is failing and I have no idea why? The code seem completly unrelated to my changed. I still commented out my changed that I might since the analysis is failing, still no luck. Has CodeQL updated its database and this is not related to my change? I am completely lost 😢 |
I confirmed that the CodeQL error also occure on the master branch, by running the checks locally. How do I best proceed with this PR? |
@jangraefen Never mind the CodeQL issue, I will take care of it (I had a quick look and it's most likely a false positive anyway). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks a lot for this PR @jangraefen - looks great so far. I have some minor comments and one topic up for discussion, please see below for more details.
Signed-off-by: Jan Graefen <223234+jangraefen@users.noreply.github.com>
Signed-off-by: Jan Graefen <223234+jangraefen@users.noreply.github.com>
@jangraefen So I finally came around to test this PR locally, but somehow the detailed error message will still propagate to the client: [vagrant@argocd-dev argo-cd]$ ./dist/argocd --server 127.0.0.1:8080 --plaintext --insecure repo list
TYPE NAME REPO INSECURE OCI LFS CREDS STATUS MESSAGE
git https://github.com/jannfis/argocd-example-apps false false false false Failed Unable to connect to repository: secret "repo-2563674859" did not contain key "username" |
Hey @jannfis, thank you very much for having a look. I had another close look at the source code to see if I could trace the problem, but came up empty handed. I will try to reproduce it with a running instance this evening. Just to make sure their is something obvious going wrong: Since it was programmed this way in a previous iteration, did you maybe had the code checked out and just need to give it a |
@jangraefen I did test it on the latest commits from the PR (pulled using GitHub CLI), and I validated that I'm at the tip of that branch. I will have a look too on what's going on. |
@jannfis Thank you for clarifying 🙂. I am sure it is something stupid on my part and I will definitly dive into this tonight. |
@jannfis I found the issue. My code is working just fine, but in the repository Anyway, we cannot employ the same tactic as before. The error we get now could be Kubernetes related (secret missing, secret misconfiged, etc.) or it could be Git related (connection error, etc.). To distinguish here we would need to introduce a custom error type here, just as you suggested in the review. |
Signed-off-by: Jan Graefen <223234+jangraefen@users.noreply.github.com>
Signed-off-by: Jan Graefen <223234+jangraefen@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks for working this through with me, @jangraefen. Much appreciated!
@jannfis And thank you for reviewing this PR and being to patient with me 🙂. |
…ositories in ArgoCD to lock (argoproj#3492) (argoproj#5363) * Add test for get repository credentials Signed-off-by: Jan Graefen <223234+jangraefen@users.noreply.github.com> * Log error on missing repository credentials Signed-off-by: Jan Graefen <223234+jangraefen@users.noreply.github.com> * Fix import formatting Signed-off-by: Jan Graefen <223234+jangraefen@users.noreply.github.com> * Use connection state instead of logging Just logging the error will be a bad user experience, since it provides no direct feedback as before. Signed-off-by: Jan Graefen <223234+jangraefen@users.noreply.github.com> * Fix test to check for connection state Signed-off-by: Jan Graefen <223234+jangraefen@users.noreply.github.com> * Do not expose technical message directly Instead of displaying a technical error message that might expose critical information about the cluster, we only display a generic error message. The actual error is then logged to the server logged, so that an administrator can further drill down into the problem Signed-off-by: Jan Graefen <223234+jangraefen@users.noreply.github.com> * Adapt tests to new error message Signed-off-by: Jan Graefen <223234+jangraefen@users.noreply.github.com> * Retrigger CI pipeline Signed-off-by: Jan Graefen <223234+jangraefen@users.noreply.github.com> * See if I am actually the cause of this error Signed-off-by: Jan Graefen <223234+jangraefen@users.noreply.github.com> * Revert changes to evaluate CodeQL result Signed-off-by: Jan Graefen <223234+jangraefen@users.noreply.github.com> * Desperate attempt to find the cause of the CodeQL error Signed-off-by: Jan Graefen <223234+jangraefen@users.noreply.github.com> * Revert "Desperate attempt to find the cause of the CodeQL error" This reverts commit a38ff65 Signed-off-by: Jan Graefen <223234+jangraefen@users.noreply.github.com> * Fix first to review findings Signed-off-by: Jan Graefen <223234+jangraefen@users.noreply.github.com> * Propose a better function name and add docu Signed-off-by: Jan Graefen <223234+jangraefen@users.noreply.github.com> * Overwrite connection status for refresh as well Signed-off-by: Jan Graefen <223234+jangraefen@users.noreply.github.com> * Fix goimports lint issue Signed-off-by: Jan Graefen <223234+jangraefen@users.noreply.github.com>
Checklist:
Issue details: #3492