From 42da58bc19178c2248b6ca3e76c31abf93f2752c Mon Sep 17 00:00:00 2001 From: Simon Gerber Date: Tue, 17 Dec 2024 09:53:27 +0100 Subject: [PATCH] Add support for https catalog repo Because component-argocd can't use Vault references directly (due to needing to be able to be synced to setup the Vault integration during cluster bootstrap), we simply provide a parameter which contains the name of an externally managed secret in the `syn` namespace. This secret must have keys `username` and `password` which will be configured as the credentials for the cluster catalog if the catalog URL starts with `https://`. --- class/defaults.yml | 2 ++ component/argocd.jsonnet | 28 +++++++++++++++---- .../ROOT/pages/references/parameters.adoc | 12 ++++++++ 3 files changed, 36 insertions(+), 6 deletions(-) diff --git a/class/defaults.yml b/class/defaults.yml index 63681be9..a88e6948 100644 --- a/class/defaults.yml +++ b/class/defaults.yml @@ -26,6 +26,8 @@ parameters: override: {} + http_credentials_secret_name: catalog-http-credentials + images: kubectl: registry: docker.io diff --git a/component/argocd.jsonnet b/component/argocd.jsonnet index b902381a..6dbe3d23 100644 --- a/component/argocd.jsonnet +++ b/component/argocd.jsonnet @@ -215,6 +215,8 @@ local repoServer = { local argocdOverride = com.makeMergeable({ spec: params.override }); +local useHttpsCatalog = std.startsWith(inv.parameters.cluster.catalog_url, 'https://'); + local argocd(name) = kube._Object('argoproj.io/v1beta1', 'ArgoCD', name) { metadata+: { @@ -230,12 +232,26 @@ local argocd(name) = applicationInstanceLabelKey: 'argocd.argoproj.io/instance', controller: applicationController, initialRepositories: '- url: ' + inv.parameters.cluster.catalog_url, - repositoryCredentials: ||| - - url: ssh://git@ - sshPrivateKeySecret: - name: argo-ssh-key - key: sshPrivateKey - |||, + repositoryCredentials: if useHttpsCatalog then + ||| + - url: %(catalog_url)s + usernameSecret: + name: %(secret)s + key: username + passwordSecret: + name: %(secret)s + key: password + ||| % { + catalog_url: inv.parameters.cluster.catalog_url, + secret: params.http_credentials_secret_name, + } + else + ||| + - url: ssh://git@ + sshPrivateKeySecret: + name: argo-ssh-key + key: sshPrivateKey + |||, initialSSHKnownHosts: { keys: ||| bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc index 9be02b11..d96bb479 100644 --- a/docs/modules/ROOT/pages/references/parameters.adoc +++ b/docs/modules/ROOT/pages/references/parameters.adoc @@ -115,6 +115,18 @@ default:: `{}` Override specs of the ProjectSyn ArgoCD instance. +== `http_credentials_secret_name` + +[horizontal] +type:: string +default:: `catalog-https-credentials` + +The name of the externally managed secret which holds the username and password for fetching the catalog repo over HTTPS in fields `username` and `password`. + +This parameter is only used when the cluster's catalog repo URL starts with `https://`. + +IMPORTANT: Users must ensure that this secret is in place before this component is synced. + == `images` [horizontal]