git artifact fetch of reference fails due to missing credentials

[Mohjive]

Checklist:

• [ x] I've included the version.
• [ x] I've included reproduction steps.
• [ x] I've included the workflow YAML.
• [ x] I've included the logs.

What happened:
I tried to checkout a gerrit change reference, using git artifacts. It failed due to the fetch didn't use authentication.

What you expected to happen:
The repo is cloned and the change is fetched and checked out.

How to reproduce it (as minimally and precisely as possible):

1. Set up a git server with authentication enabled
2. Try to fetch and checkout a reference from that server

Anything else we need to know?:
To verify the setup I tried a clone and checkout a revision that exists, like a branch, and then it works, so it's the fetch that fails.
It can also be seen in artifacts/git.go that Auth is missing from FetchOptions (https://github.com/argoproj/argo/blob/master/workflow/artifacts/git/git.go#L106).

Environment:

• Argo version:

Argo 2.4.3

• Kubernetes version :

K8s v1.14.8

Other debugging information (if applicable):

• workflow:

apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
  generateName: git-test-
spec:
  entrypoint: gerrit-change
  templates:
  - name: gerrit-change
    inputs:
      artifacts:
      - name: my-project
        path: /src
        git:
          repo: https://my-gerrit-server.com/projects/my-project.git
          fetch: ["refs/changes/12/12345/123:change"]
          revision: "change"
          usernameSecret:
            name: gerrit-credentials
            key: username
          passwordSecret:
            name: gerrit-credendtials
            key: password
          insecureIgnoreHostKey: true
    container:
      image: golang:1.10
      command: [sh, -c]
      args: ["git status && ls -la"]
      workingDir: /src

• executor logs:

Loading...

• workflow-controller logs:

time="2020-03-02T22:08:22Z" level=info msg="Processing workflow" namespace=argo workflow=git-test-knzvf
time="2020-03-02T22:08:23Z" level=info msg="Updating node git-test-knzvf (git-test-knzvf) status Pending -> Error"
time="2020-03-02T22:08:23Z" level=info msg="Updating node git-test-knzvf (git-test-knzvf) message: failed to load artifacts: authentication required"
time="2020-03-02T22:08:23Z" level=info msg="Updated phase Running -> Error" namespace=argo workflow=git-test-knzvf
time="2020-03-02T22:08:23Z" level=info msg="Updated message  -> failed to load artifacts: authentication required" namespace=argo workflow=git-test-knzvf
time="2020-03-02T22:08:23Z" level=info msg="Marking workflow completed" namespace=argo workflow=git-test-knzvf

---

Message from the maintainers:

If you are impacted by this bug please add a 👍 reaction to this issue! We often sort issues this way to know what to prioritize.

[alexec]

It is simply the case that we do not support authentication for Git. I think we should remove the go-git library and use Git directly. @jessesuen @sarabala1979 reason for using go-git here?

[cyclingwithelephants]

I have been looking at an example very similar to the above which currently exists within the argo repository and it talks about authenticating to a private git repository.

https://github.com/argoproj/argo/blob/master/examples/input-artifact-git.yaml

Is this really not possible? how else are we supposed to do CI on a private repository? If it's not possible what is the above actually an example of?

[alexec]

Maybe related: #3246

[cyclingwithelephants]

I'm the same person, my use case is slightly different and shows it being supported in the example I provided so I opened a new ticket :)

[alexec]

v2.10