Merge pull request #215 from projectsyn/feat/https-catalog

Add support for https catalog repo
projectsyn · Dec 17, 2024 · 8c31821 · 8c31821
2 parents 25becd8 + e4d3111
commit 8c31821
Show file tree

Hide file tree

Showing 43 changed files with 45,112 additions and 9 deletions.
diff --git a/.cruft.json b/.cruft.json
@@ -1,13 +1,13 @@
 {
   "template": "https://github.com/projectsyn/commodore-component-template.git",
-  "commit": "8840f87d25d97ce0d4bfed75d40173caaf4100fc",
+  "commit": "ff9d5a839714344345b76be069ea23e39e580f38",
   "checkout": "main",
   "context": {
     "cookiecutter": {
       "name": "Argo CD",
       "slug": "argocd",
       "parameter_key": "argocd",
-      "test_cases": "defaults openshift params prometheus",
+      "test_cases": "defaults openshift params prometheus https-catalog",
       "add_lib": "y",
       "add_pp": "n",
       "add_golden": "y",

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -36,6 +36,7 @@ jobs:
           - openshift
           - params
           - prometheus
+          - https-catalog
     defaults:
       run:
         working-directory: ${{ env.COMPONENT_NAME }}
@@ -54,6 +55,7 @@ jobs:
           - openshift
           - params
           - prometheus
+          - https-catalog
     defaults:
       run:
         working-directory: ${{ env.COMPONENT_NAME }}

diff --git a/Makefile.vars.mk b/Makefile.vars.mk
@@ -57,4 +57,4 @@ KUBENT_IMAGE    ?= ghcr.io/doitintl/kube-no-trouble:latest
 KUBENT_DOCKER   ?= $(DOCKER_CMD) $(DOCKER_ARGS) $(root_volume) --entrypoint=/app/kubent $(KUBENT_IMAGE)
 
 instance ?= defaults
-test_instances = tests/defaults.yml tests/openshift.yml tests/params.yml tests/prometheus.yml
+test_instances = tests/defaults.yml tests/openshift.yml tests/params.yml tests/prometheus.yml tests/https-catalog.yml
diff --git a/class/defaults.yml b/class/defaults.yml
@@ -26,6 +26,8 @@ parameters:
 
     override: {}
 
+    http_credentials_secret_name: catalog-http-credentials
+
     images:
       kubectl:
         registry: docker.io

diff --git a/component/argocd.jsonnet b/component/argocd.jsonnet
@@ -215,6 +215,8 @@ local repoServer = {
 
 local argocdOverride = com.makeMergeable({ spec: params.override });
 
+local useHttpsCatalog = std.startsWith(inv.parameters.cluster.catalog_url, 'https://');
+
 local argocd(name) =
   kube._Object('argoproj.io/v1beta1', 'ArgoCD', name) {
     metadata+: {
@@ -230,12 +232,26 @@ local argocd(name) =
       applicationInstanceLabelKey: 'argocd.argoproj.io/instance',
       controller: applicationController,
       initialRepositories: '- url: ' + inv.parameters.cluster.catalog_url,
-      repositoryCredentials: |||
-        - url: ssh://git@
-          sshPrivateKeySecret:
-            name: argo-ssh-key
-            key: sshPrivateKey
-      |||,
+      repositoryCredentials: if useHttpsCatalog then
+        |||
+          - url: %(catalog_url)s
+            usernameSecret:
+              name: %(secret)s
+              key: username
+            passwordSecret:
+              name: %(secret)s
+              key: password
+        ||| % {
+          catalog_url: inv.parameters.cluster.catalog_url,
+          secret: params.http_credentials_secret_name,
+        }
+      else
+        |||
+          - url: ssh://git@
+            sshPrivateKeySecret:
+              name: argo-ssh-key
+              key: sshPrivateKey
+        |||,
       initialSSHKnownHosts: {
         keys: |||
           bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==

diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc
@@ -115,6 +115,18 @@ default:: `{}`
 
 Override specs of the ProjectSyn ArgoCD instance.
 
+== `http_credentials_secret_name`
+
+[horizontal]
+type:: string
+default:: `catalog-https-credentials`
+
+The name of the externally managed secret which holds the username and password for fetching the catalog repo over HTTPS in fields `username` and `password`.
+
+This parameter is only used when the cluster's catalog repo URL starts with `https://`.
+
+IMPORTANT: Users must ensure that this secret is in place before this component is synced.
+
 == `images`
 
 [horizontal]

diff --git a/tests/golden/https-catalog/argocd/apps/00_default-project.yaml b/tests/golden/https-catalog/argocd/apps/00_default-project.yaml
@@ -0,0 +1,14 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: default
+  namespace: syn
+spec:
+  clusterResourceWhitelist:
+    - group: '*'
+      kind: '*'
+  destinations:
+    - namespace: '*'
+      server: '*'
+  sourceRepos:
+    - '*'
diff --git a/tests/golden/https-catalog/argocd/apps/00_syn-project.yaml b/tests/golden/https-catalog/argocd/apps/00_syn-project.yaml
@@ -0,0 +1,16 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: syn
+  namespace: syn
+spec:
+  clusterResourceWhitelist:
+    - group: '*'
+      kind: '*'
+  destinations:
+    - namespace: '*'
+      server: https://kubernetes.default.svc
+  orphanedResources:
+    warn: false
+  sourceRepos:
+    - https://git.example.com/cluster-catalog.git
diff --git a/tests/golden/https-catalog/argocd/apps/01_rootapp.yaml b/tests/golden/https-catalog/argocd/apps/01_rootapp.yaml
@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: root
+  namespace: syn
+spec:
+  destination:
+    namespace: syn
+    server: https://kubernetes.default.svc
+  project: syn
+  source:
+    directory:
+      recurse: true
+    path: manifests/apps/
+    repoURL: https://git.example.com/cluster-catalog.git
+    targetRevision: HEAD
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
diff --git a/tests/golden/https-catalog/argocd/apps/10_argocd.yaml b/tests/golden/https-catalog/argocd/apps/10_argocd.yaml
@@ -0,0 +1,26 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  annotations:
+    argocd.argoproj.io/compare-options: ServerSideDiff=true
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  name: argocd
+  namespace: syn
+spec:
+  destination:
+    namespace: syn
+    server: https://kubernetes.default.svc
+  project: syn
+  source:
+    directory:
+      recurse: true
+    path: manifests/argocd
+    repoURL: https://git.example.com/cluster-catalog.git
+    targetRevision: HEAD
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - ServerSideApply=true
diff --git a/tests/golden/https-catalog/argocd/argocd/01_namespace/00_namespace.yaml b/tests/golden/https-catalog/argocd/argocd/01_namespace/00_namespace.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  annotations: {}
+  labels:
+    app.kubernetes.io/part-of: argocd
+    name: syn
+    openshift.io/cluster-monitoring: 'true'
+  name: syn
diff --git a/tests/golden/https-catalog/argocd/argocd/01_namespace/20_monitoring.yaml b/tests/golden/https-catalog/argocd/argocd/01_namespace/20_monitoring.yaml
@@ -0,0 +1,97 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    app.kubernetes.io/name: syn-argocd-metrics
+    app.kubernetes.io/part-of: argocd
+    name: syn-component-argocd-metrics
+  name: syn-component-argocd-metrics
+  namespace: syn
+spec:
+  endpoints:
+    - port: metrics
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: syn-argocd-metrics
+      app.kubernetes.io/part-of: argocd
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    app.kubernetes.io/name: syn-argocd-server-metrics
+    app.kubernetes.io/part-of: argocd
+    name: syn-component-argocd-server-metrics
+  name: syn-component-argocd-server-metrics
+  namespace: syn
+spec:
+  endpoints:
+    - port: metrics
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: syn-argocd-server-metrics
+      app.kubernetes.io/part-of: argocd
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    app.kubernetes.io/name: syn-argocd-repo-server
+    app.kubernetes.io/part-of: argocd
+    name: syn-component-argocd-repo-server
+  name: syn-component-argocd-repo-server
+  namespace: syn
+spec:
+  endpoints:
+    - port: metrics
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: syn-argocd-repo-server
+      app.kubernetes.io/part-of: argocd
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  labels:
+    cluster_id: c-green-test-1234
+    name: argocd
+    prometheus: platform
+    role: alert-rules
+    tenant_id: t-silent-test-1234
+  name: argocd
+  namespace: syn
+spec:
+  groups:
+    - name: argocd.rules
+      rules:
+        - alert: ArgoCDAppUnsynced
+          annotations:
+            dashboard: argocd
+            description: kubectl -n syn describe app {{ $labels.name }}
+            message: Argo CD app {{ $labels.name }} is not synced
+          expr: argocd_app_info{exported_namespace="syn", sync_status!="Synced"} >
+            0
+          for: 10m
+          labels:
+            severity: warning
+            syn: 'true'
+        - alert: ArgoCDAppUnhealthy
+          annotations:
+            dashboard: argocd
+            description: kubectl -n syn describe app {{ $labels.name }}
+            message: Argo CD app {{ $labels.name }} is not healthy
+          expr: argocd_app_info{exported_namespace="syn", health_status!="Healthy"}
+            > 0
+          for: 10m
+          labels:
+            severity: critical
+            syn: 'true'
+        - alert: ArgoCDDown
+          annotations:
+            dashboard: argocd
+            message: Argo CD job {{ $labels.job }} is down
+          expr: up{namespace="syn", job=~"^syn-argocd-.+$"} != 1
+          for: 5m
+          labels:
+            severity: critical
+            syn: 'true'