Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-4645

ArgoCD Repo Server stops pulling git repositories due to Azure Devops Repos current sunset SSH-RSA strategy

XMLWordPrintable

    • False
    • None
    • False
    • Hide

      Currently, as per the Engineering's suggestion, provided a workaround to the customer but they are yet to confirm if that is working for them.

      Workaround:
      Migrate from SSH to HTTPS via PAT/Password: modify the Argo CD repository credentials to use 'https://' URL, rather than ssh/git URL. A PAT/password can be used to access the repository.

      Show
      Currently, as per the Engineering's suggestion, provided a workaround to the customer but they are yet to confirm if that is working for them. Workaround: Migrate from SSH to HTTPS via PAT/Password: modify the Argo CD repository credentials to use 'https://' URL, rather than ssh/git URL. A PAT/password can be used to access the repository.
    • Hide

      As mentioned on the upstream issue (https://github.com/argoproj/argo-cd/issues/17634), users of Azure Repos may encounter temporary failure when using Azure Repos with a non RSA-SHA2-256 or RSA-SHA2-512 key.

      This will become a permanent failure later in Q2 2024, when Azure Repos fully disables support for these deprecated ciphers.

      Show
      As mentioned on the upstream issue ( https://github.com/argoproj/argo-cd/issues/17634 ), users of Azure Repos may encounter temporary failure when using Azure Repos with a non RSA-SHA2-256 or RSA-SHA2-512 key. This will become a permanent failure later in Q2 2024, when Azure Repos fully disables support for these deprecated ciphers.

      Form Initiator: disharma@redhat.com

      Customer Name: kreditwerk AG

      Business Impact:

      • The customer is a Bank and they're unable to synchronize their applications.
      • This is further stopping them from deploying new releases.
      • They're unable to upgrade their software which is a big compliance & security issue considering they're a bank.
      • Request you to please treat this request as urgent and expedite the same at the earliest.

      Escalation Ticket: https://access.redhat.com/watchlist/internal/aces/EN-72479

      Description:

      As per the Microsoft's official update(https://devblogs.microsoft.com/devops/ssh-rsa-deprecation), they have announced the deprecation of SSH-RSA as a supported encryption method for connecting to Azure Repos using SSH.

      Currently, all the customers who have connected Azure repos using SSH in ArgoCD are impacted as they are not able to sync their applications intermittently and facing the below mentioned error:
      ```
      unknown error: remote: Command git-upload-pack: Youre using ssh-rsa that is about to be deprecated and your request has been blocked intentionally. Any SSH session using SSH-RSA is subject to brown out (failure during random time periods). Please use rsa-sha2-256 or rsa-sha2-512 instead. For more details see https://aka.ms/ado-ssh-rsa-deprecation." grpc.code=Unknown grpc.method=GenerateManifest
      ```

              jgwest Jonathan West
              rhn-support-disharma Diksha Sharma
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: