Let's say something like this is being returned. I got this when attempting to add a repository to ArgoCD using the argocd repo add command.

~]# argocd repo add https://github.com/foo/bar.git
FATA[0000] rpc error: code = Unknown desc = error testing repository connectivity: Get "https://github.com/foo/bar/info/refs?service=git-upload-pack": Moved Permanently

Is there a certificate for the repo?

The argocd cert list command can be used to list the certificates that ArgoCD has been configured to trust for the target version control system, github.com in this example. These are the SSH keys that the target version control system presents that would be appended to known_hosts on the connecting system, which is ArgoCD in this scenario.

~]$ argocd cert list
HOSTNAME                    TYPE   SUBTYPE              INFO
[ssh.github.com]:443        ssh    ecdsa-sha2-nistp256  SHA256:p2QAMXNICABCDFzIOttrVc98/R1BUFWu3/LiyKgUfQM
[ssh.github.com]:443        ssh    ssh-ed25519          SHA256:+DiY3wvvV6CABCDFzZisF/zLDA0zPMSvHdkr4UvCOqU
[ssh.github.com]:443        ssh    ssh-rsa              SHA256:uNiVztksCABCDFz0u9e8BujQXVUpKZIDTMczCvj3tDs
github.com                  ssh    ssh-rsa              SHA256:uNiVztksCCABCDFz0u9e8BujQXVUpKZIDTMczCvjD2s
github.com                  ssh    ssh-ed25519          SHA256:+DiY3wvvV6TCABCDFzisF/zLDA0zPMSvHdkr4UvCOqU
github.com                  ssh    ecdsa-sha2-nistp256  SHA256:p2QAMXNICCABCDFzOttrVc98/R1BUFWu3/LiyKgUfQM

Additionally let's ensure that when you run the argocd cert list command in the ArgoCD server pod you get the same output.

~]$ SERVER_POD=$(oc get pod --namespace openshift-gitops --selector=app.kubernetes.io/name=openshift-gitops-server --output custom-columns=POD:.metadata.name --no-headers)
~]$ ADMIN_PASSWD=$(oc get secret openshift-gitops-cluster --namespace openshift-gitops --output jsonpath='{.data.admin\.password}' | base64 --decode)
~]$ URL=$(oc get routes --namespace openshift-gitops --selector=app.kubernetes.io/name=openshift-gitops-server --output jsonpath="{.items[*].spec.host}")
~]$ oc exec $SERVER_POD --namespace openshift-gitops -- /bin/bash -c "argocd login --username admin --password $ADMIN_PASSWD $URL:443 --insecure --grpc-web --config /home/argocd/.config; argocd cert list --server $URL:443 --insecure --grpc-web --config /home/argocd/.config"
'admin:login' logged in successfully
HOSTNAME                    TYPE   SUBTYPE              INFO
[ssh.github.com]:443        ssh    ecdsa-sha2-nistp256  SHA256:p2QAMXNICABCDFzIOttrVc98/R1BUFWu3/LiyKgUfQM
[ssh.github.com]:443        ssh    ssh-ed25519          SHA256:+DiY3wvvV6CABCDFzZisF/zLDA0zPMSvHdkr4UvCOqU
[ssh.github.com]:443        ssh    ssh-rsa              SHA256:uNiVztksCABCDFz0u9e8BujQXVUpKZIDTMczCvj3tDs
github.com                  ssh    ssh-rsa              SHA256:uNiVztksCCABCDFz0u9e8BujQXVUpKZIDTMczCvjD2s
github.com                  ssh    ssh-ed25519          SHA256:+DiY3wvvV6TCABCDFzisF/zLDA0zPMSvHdkr4UvCOqU
github.com                  ssh    ecdsa-sha2-nistp256  SHA256:p2QAMXNICCABCDFzOttrVc98/R1BUFWu3/LiyKgUfQM

Ingress and Egress Network Policies

The kubectl (Kubernetes) or oc (OpenShift) get networkpolicies command can then be see if there are any ingress network policies denying incoming requests in the namespace you want to deploy the application to.

~]$ oc get networkpolicies
No resources found in my_project namespace.

The kubectl (Kubernetes) or oc (OpenShift) get egressnetworkpolicies command can be used to see if there are any egress network policies denying outgoing requests in the namespace ArgoCD is in.

~]$ oc get egressnetworkpolicies --namespace openshift-gitops
No resources found in openshift-gitops namespace.

NetNamespaces

The kubectl (Kubernetes) or oc (OpenShift) get netnamespaces can be used to see if the namespace that you want to deploy the application to has a dedicated egress IP address.

~]$ oc get netnamespaces my_project
NAME               NETID     EGRESS IPS
my_project         9740194

If not, you may need to patch the namespace to have a dedicated egress IP address.

~]$ oc patch netnamespace my_project --type merge --patch '{ "egressIPs": [ "10.84.189.2" ] }'
netnamespace.network.openshift.io/my_project  patched

Are the ArgoCD pods up and running?

The kubectl (Kubernetes) or oc (OpenShift) get pods command can be used to check if the ArgoCD pods in the cluster ArgoCD is running on are up and running.

By the way, notice in this example that the application controller pod has 13 restarts whereas the other pods have 0 restarts. This is because when an application would get stuck refreshing my application controller pod would run out of memory and start crash looping (more on this in a moment).

~]$ oc get pods
NAME                                                          READY   STATUS    RESTARTS         AGE
cluster-f4c765c6f-tznxm                                       1/1     Running   0                3d15h
gitops-plugin-76c8d56cbc-xbdl7                                1/1     Running   0                3d15h
kam-6fd58b8d87-ggrlr                                          1/1     Running   0                3d15h
openshift-gitops-application-controller-0                     1/1     Running   13 (2d20h ago)   3d15h
openshift-gitops-applicationset-controller-6858947bc8-7nfhv   1/1     Running   0                3d15h
openshift-gitops-dex-server-5f8549dd48-24x72                  1/1     Running   0                3d15h
openshift-gitops-redis-7bd479c78f-zb8xg                       1/1     Running   0                3d15h
openshift-gitops-repo-server-694ddc84cc-66r2c                 1/1     Running   0                3d15h
openshift-gitops-server-7dddf67589-g5nzq                      1/1     Running   0                3d15h

Test git commands in the ArgoCD Server pod

The kubectl (Kubernetes) or oc (OpenShift) exec command can be used to issue the git clone and then git fetch command that is timing out in the ArgoCD server pod.

~]$ REPO_POD=$(oc get pod --namespace openshift-gitops --selector=app.kubernetes.io/name=openshift-gitops-repo-server --output custom-columns=POD:.metadata.name --no-headers)
~]$ ADMIN_PASSWD=$(oc get secret openshift-gitops-cluster --namespace openshift-gitops --output jsonpath='{.data.admin\.password}' | base64 --decode)
~]$ URL=$(oc get routes --namespace openshift-gitops --selector=app.kubernetes.io/name=openshift-gitops-server --output jsonpath="{.items[*].spec.host}")
~]$ oc exec $REPO_POD --container argocd-repo-server --namespace openshift-gitops -- /bin/bash -c "git clone https://<personal_access_token>@github.com/foo/bar.git; cd bar; git fetch origin --tags --force --prune"

Is proxy connect timeout?

I once saw the following when issue the git clone command in the repo pod.

~]$ REPO_POD=$(oc get pod --namespace openshift-gitops --selector=app.kubernetes.io/name=openshift-gitops-repo-server --output custom-columns=POD:.metadata.name --no-headers)
~]$ ADMIN_PASSWD=$(oc get secret openshift-gitops-cluster --namespace openshift-gitops --output jsonpath='{.data.admin\.password}' | base64 --decode)
~]$ URL=$(oc get routes --namespace openshift-gitops --selector=app.kubernetes.io/name=openshift-gitops-server --output jsonpath="{.items[*].spec.host}")
~]$ oc exec $REPO_POD --container argocd-repo-server --namespace openshift-gitops -- git clone https://<personal_access_token>@github.com/foo/bar.git
Cloning into 'bar'...
fatal: unable to access 'https://github.com/foo/bar.git/': Failed to connect to proxy.example.com port 1080: Connection timed out

Let's say your ArgoCD repo pod contain proxy environment variables, perhaps something like this.

~]$ oc get pod openshift-gitops-repo-server-7744cbb479-7w8xd --output yaml
spec:
  containers:
    env:
    - name: HTTPS_PROXY
      value: https://proxy.example.com
    - name: HTTP_PROXY
      value: http://proxy.example.com
    - name: NO_PROXY
      value: .cluster.local,.example.com,access.redhat.com,localhost,quay.io,registry.connect.redhat.com,registry.redhat.io

Likewise your ArgoCD deployment may also contain proxy environment variables.

~]$ oc get deployment openshift-gitops-server --output yaml
spec:
  containers:
    env:
    - name: HTTPS_PROXY
      value: https://proxy.example.com
    - name: HTTP_PROXY
      value: http://proxy.example.com
    - name: NO_PROXY
      value: .cluster.local,.example.com,access.redhat.com,localhost,quay.io,registry.connect.redhat.com,registry.redhat.io

And if you try to remove the proxy environment variables from the deployment the proxy environment variable may immediately be re-added to the deployment. This probably means that your Kubernetes or OpenShift cluster has a proxy resource. The kubectl (Kubernetes) or oc (OpenShfit) get proxy command can be used to determine if the cluster has a proxy resource. In this example, there is a proxy resource named "cluster".

~]$ oc get proxy
NAME      AGE
cluster   622d

And the proxy resource should contain the same proxy environment variables as listed in the ArgoCD pods and deployments.

~]$ oc get proxy cluster --output yaml
spec:
  httpProxy: http://proxy.example.com
  httpsProxy: https://proxy.example.com
  noProxy: .cluster.local,.example.com,access.redhat.com,localhost,quay.io,registry.connect.redhat.com,registry.redhat.io

So one option here is to use the kubectl (Kubernetes) or oc (OpenShift) edit proxy cluster command to add the repo base URL such as github.com to the noProxy list in the proxy cluster resource. After doing this it may take a few moments for the change to complete since this is a cluster wide configuration change.

oc edit proxy cluster

You may need to delete the ArgoCD repo pod so that a new deployment gets spawned and the new deployment should contain the updated noProxy list.

oc delete deployment openshift-gitops-repo-server
[{"name":"HTTPS_PROXY","value":"https://proxy.example.com"},{"name":"HTTP_PROXY","value":"http://proxy.example.com"},{"name":"NO_PROXY","value":"github.com"}}]

Or when adding the repo to ArgoCD you can use the --no-proxy option so that requests to the repo's base URL such as github.com do not use the proxy.

argocd repo add https://github.com/foo/bar.git --no-proxy github.com