Using the new OCI support as an application source with AWS ECR

[jennerm]

Hi, I am trying to use the new OCI support in Argo CD 3.1 to create an application with a source that is an AWS ECR repository, but my application fails to sync with an error:

    message: 'Failed to load target state: failed to generate manifest for source
      1 of 1: rpc error: code = Unknown desc = failed to resolve revision "0.0.2":
      cannot get digest for revision 0.0.2: HEAD "https://1234567890.dkr.ecr.eu-west-1.amazonaws.com/v2/cluster-deployment/core-eks-cluster-dev01/test-oci/manifests/0.0.2":
      basic credential not found'

My guess is that there is a mismatch between my repository setup and the repoURL in my application resource, and they are not matching. Unfortunately the new example in the docs https://argo-cd.readthedocs.io/en/latest/user-guide/oci/ does not give an example of how to set up the repository. I rummaged in the MR raised by @blakepettersson and saw that a new type was created (https://github.com/argoproj/argo-cd/pull/18646/files#diff-667adf2824d085efeff7ce304e59e98060281c2741bf39755db16ccfebe66bd5R72), so I copied that and the syntax of the other fields too, but I wonder if something else is missing from my repository secret? Or perhaps the AWS credentials I have put in the password are incorrect?

Here is my config:
version: 3.1.1

Application

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: test-oci
  namespace: argocd
spec:
  project: default
  source:
    path: components/digieco-httpbin-service
    repoURL: oci://1234567890.dkr.ecr.eu-west-1.amazonaws.com/cluster-deployment/core-eks-cluster-dev01/test-oci
    targetRevision: 0.0.2
  destination:
    server: "https://kubernetes.default.svc"
    namespace: test-only

I am using External-secrets operator to manage the AWS ECR auth token (having given the argocd-repo-server serviceaccount an IRSA annotation linked to a IAM role with permissions to get the token):

apiVersion: generators.external-secrets.io/v1alpha1
kind: ECRAuthorizationToken
metadata:
  name: ecr-localaccount-auth-token
  namespace: argocd
spec:
  region: eu-west-1
  auth:
    jwt:
      serviceAccountRef:
        name: argocd-repo-server
---
  apiVersion: external-secrets.io/v1
  kind: ExternalSecret
  metadata:
    name: digieco-eks-components-repo-ecr-localaccount
    namespace: argocd
  spec:
    refreshInterval: "1h"
    target:
      name: digieco-eks-components-repo-ecr-localaccount
      creationPolicy: Owner
      deletionPolicy: Retain
      template:
        type: Opaque
        data:
          url: oci://1234567890.dkr.ecr.eu-west-1.amazonaws.com
          type: "oci"
          name: "digieco-eks-components-repo-ecr-localaccount"
          username: "{{ .username }}"
          password: "{{ .password  }}"
        metadata:
          labels:
            argocd.argoproj.io/secret-type: repository
    dataFrom:
      - sourceRef:
          generatorRef:
            apiVersion: generators.external-secrets.io/v1alpha1
            kind: ECRAuthorizationToken
            name: "ecr-localaccount-auth-token"

This sets up the secret successfully:

apiVersion: v1
data:
  name: ZGlnaWVjby1la3MtY29tcG9uZW50cy1yZXBvLWVjci1sb2NhbGFjY291bnQ=
  password: ZXlKd1lYbH-blahblah
  type: b2Np
  url: b2NpOi8vNzY3Mzk3OTExOTE4LmRrci5lY3IuZXUtd2VzdC0xLmFtYXpvbmF3cy5jb20=
  username: QVdT
kind: Secret
metadata:
  annotations:
    reconcile.external-secrets.io/data-hash: 2eacbd7085b935274e100c5d90570c502fee2d4dba2fb3be0cf8e4c9
  creationTimestamp: "2025-09-09T17:03:13Z"
  labels:
    argocd.argoproj.io/secret-type: repository
    reconcile.external-secrets.io/created-by: 3798aa91f222a55bc56e470c7a0d21e59dcafbc2d9e08e50f2ce45cc
    reconcile.external-secrets.io/managed: "true"
  name: digieco-eks-components-repo-ecr-localaccount
  namespace: argocd
type: Opaque

Where the opaque values are:

• name: digieco-eks-components-repo-ecr-localaccount
• password: A JWT auth token: eyJwYXlsb2FkIjoiWn....
• type: oci
• url: oci://1234567890.dkr.ecr.eu-west-1.amazonaws.com
• username: AWS

I have tried:

• url: oci://1234567890.dkr.ecr.eu-west-1.amazonaws.com/*
• url: oci://1234567890.dkr.ecr.eu-west-1.amazonaws.com/**

as well, with no luck.

Any insight into this error would be greatly appreciated.

Thanks,
Mark