Add support for https catalog repo

Because component-argocd can't use Vault references directly (due to needing to be able to be synced to setup the Vault integration during cluster bootstrap), we simply provide a parameter which contains the name of an externally managed secret in the `syn` namespace. This secret must have keys `username` and `password` which will be configured as the credentials for the cluster catalog if the catalog URL starts with `https://`.
projectsyn · Dec 17, 2024 · 42da58b · 42da58b
1 parent 19c456e
commit 42da58b
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 6 deletions.
diff --git a/class/defaults.yml b/class/defaults.yml
@@ -26,6 +26,8 @@ parameters:
 
     override: {}
 
+    http_credentials_secret_name: catalog-http-credentials
+
     images:
       kubectl:
         registry: docker.io

diff --git a/component/argocd.jsonnet b/component/argocd.jsonnet
@@ -215,6 +215,8 @@ local repoServer = {
 
 local argocdOverride = com.makeMergeable({ spec: params.override });
 
+local useHttpsCatalog = std.startsWith(inv.parameters.cluster.catalog_url, 'https://');
+
 local argocd(name) =
   kube._Object('argoproj.io/v1beta1', 'ArgoCD', name) {
     metadata+: {
@@ -230,12 +232,26 @@ local argocd(name) =
       applicationInstanceLabelKey: 'argocd.argoproj.io/instance',
       controller: applicationController,
       initialRepositories: '- url: ' + inv.parameters.cluster.catalog_url,
-      repositoryCredentials: |||
-        - url: ssh://git@
-          sshPrivateKeySecret:
-            name: argo-ssh-key
-            key: sshPrivateKey
-      |||,
+      repositoryCredentials: if useHttpsCatalog then
+        |||
+          - url: %(catalog_url)s
+            usernameSecret:
+              name: %(secret)s
+              key: username
+            passwordSecret:
+              name: %(secret)s
+              key: password
+        ||| % {
+          catalog_url: inv.parameters.cluster.catalog_url,
+          secret: params.http_credentials_secret_name,
+        }
+      else
+        |||
+          - url: ssh://git@
+            sshPrivateKeySecret:
+              name: argo-ssh-key
+              key: sshPrivateKey
+        |||,
       initialSSHKnownHosts: {
         keys: |||
           bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==

diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc
@@ -115,6 +115,18 @@ default:: `{}`
 
 Override specs of the ProjectSyn ArgoCD instance.
 
+== `http_credentials_secret_name`
+
+[horizontal]
+type:: string
+default:: `catalog-https-credentials`
+
+The name of the externally managed secret which holds the username and password for fetching the catalog repo over HTTPS in fields `username` and `password`.
+
+This parameter is only used when the cluster's catalog repo URL starts with `https://`.
+
+IMPORTANT: Users must ensure that this secret is in place before this component is synced.
+
 == `images`
 
 [horizontal]