From 5e822e0f48502d404e5cd8edf6e0133ebd156993 Mon Sep 17 00:00:00 2001 From: Simon Gerber Date: Thu, 9 Oct 2025 16:51:37 +0200 Subject: [PATCH] Switch to using "repo secret" method for catalog URL & credentials Externally managed https catalog secrets must be updated to have label `argocd.argoproj.io/secret-type=repo-creds` and must have `url: ` so ArgoCD can match them to the repository secret. --- component/argocd.jsonnet | 51 +++++++++++-------- .../argocd/30_argocd/00_repo_secret.yaml | 12 +++++ .../argocd/30_argocd/00_ssh_secret.yaml | 3 ++ .../argocd/argocd/30_argocd/10_argocd.yaml | 6 --- .../argocd/30_argocd/00_repo_secret.yaml | 12 +++++ .../argocd/argocd/30_argocd/10_argocd.yaml | 9 ---- .../argocd/30_argocd/00_repo_secret.yaml | 12 +++++ .../argocd/30_argocd/00_ssh_secret.yaml | 3 ++ .../argocd/argocd/30_argocd/10_argocd.yaml | 6 --- .../argocd/30_argocd/00_repo_secret.yaml | 12 +++++ .../argocd/30_argocd/00_ssh_secret.yaml | 3 ++ .../argocd/argocd/30_argocd/10_argocd.yaml | 6 --- .../argocd/30_argocd/00_repo_secret.yaml | 12 +++++ .../argocd/30_argocd/00_ssh_secret.yaml | 3 ++ .../argocd/argocd/30_argocd/10_argocd.yaml | 6 --- .../argocd/30_argocd/00_repo_secret.yaml | 12 +++++ .../argocd/30_argocd/00_ssh_secret.yaml | 3 ++ .../argocd/argocd/30_argocd/10_argocd.yaml | 6 --- 18 files changed, 116 insertions(+), 61 deletions(-) create mode 100644 tests/golden/defaults/argocd/argocd/30_argocd/00_repo_secret.yaml create mode 100644 tests/golden/https-catalog/argocd/argocd/30_argocd/00_repo_secret.yaml create mode 100644 tests/golden/openshift/argocd/argocd/30_argocd/00_repo_secret.yaml create mode 100644 tests/golden/params/argocd/argocd/30_argocd/00_repo_secret.yaml create mode 100644 tests/golden/prometheus/argocd/argocd/30_argocd/00_repo_secret.yaml create mode 100644 tests/golden/syn-teams/argocd/argocd/30_argocd/00_repo_secret.yaml diff --git a/component/argocd.jsonnet b/component/argocd.jsonnet index cd0ac46a..b6a46102 100644 --- a/component/argocd.jsonnet +++ b/component/argocd.jsonnet @@ -231,27 +231,6 @@ local argocd(name) = version: params.images.argocd.tag, applicationInstanceLabelKey: 'argocd.argoproj.io/instance', controller: applicationController, - initialRepositories: '- url: ' + inv.parameters.cluster.catalog_url, - repositoryCredentials: if useHttpsCatalog then - ||| - - url: %(catalog_url)s - usernameSecret: - name: %(secret)s - key: username - passwordSecret: - name: %(secret)s - key: password - ||| % { - catalog_url: inv.parameters.cluster.catalog_url, - secret: params.http_credentials_secret_name, - } - else - ||| - - url: ssh://git@ - sshPrivateKeySecret: - name: argo-ssh-key - key: sshPrivateKey - |||, initialSSHKnownHosts: { keys: ||| bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== @@ -395,8 +374,35 @@ local argocd(name) = local ssh_secret = kube._Object('v1', 'Secret', 'argo-ssh-key') { type: 'Opaque', -}; +} + if !useHttpsCatalog then { + metadata+: { + labels+: { + 'argocd.argoproj.io/secret-type': 'repo-creds', + }, + }, + stringData: { + // sshPrivateKey set by Steward -- should be safe with SSA for the ArgoCD + // app. For full safety we should update Steward to use SSA for this + // secret. + url: inv.parameters.cluster.catalog_url, + }, +} else {}; +local repo_secret = kube._Object('v1', 'Secret', 'cluster-catalog') { + type: 'Opaque', + metadata+: { + labels+: { + 'argocd.argoproj.io/secret-type': 'repository', + }, + }, + stringData: { + type: 'git', + url: inv.parameters.cluster.catalog_url, + // creds always provided in a `repo-creds` secret. Externally managed + // https secrets must be updated to have label + // `argocd.argoproj.io/secret-type=repo-creds` + }, +}; // Manually adding certificate for conversion webhook // as the upstream kustomize is broken. @@ -511,6 +517,7 @@ local tls_refresh = [ '00_vault_agent_config': vault_agent_config, '00_kapitan_plugin_config': kapitan_plugin_config, '00_ssh_secret': ssh_secret, + '00_repo_secret': repo_secret, '10_argocd': argocd('syn-argocd'), [if params.network_policies.enabled then '20_networkpolicy']: std.map(function(p) com.namespaced(params.namespace, p), import 'networkpolicy.libsonnet'), // Manually adding certificate for conversion webhook diff --git a/tests/golden/defaults/argocd/argocd/30_argocd/00_repo_secret.yaml b/tests/golden/defaults/argocd/argocd/30_argocd/00_repo_secret.yaml new file mode 100644 index 00000000..f4e28355 --- /dev/null +++ b/tests/golden/defaults/argocd/argocd/30_argocd/00_repo_secret.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Secret +metadata: + annotations: {} + labels: + argocd.argoproj.io/secret-type: repository + name: cluster-catalog + name: cluster-catalog +stringData: + type: git + url: ssh://git@git.example.com/org/repo.git +type: Opaque diff --git a/tests/golden/defaults/argocd/argocd/30_argocd/00_ssh_secret.yaml b/tests/golden/defaults/argocd/argocd/30_argocd/00_ssh_secret.yaml index cec56897..b8ef6184 100644 --- a/tests/golden/defaults/argocd/argocd/30_argocd/00_ssh_secret.yaml +++ b/tests/golden/defaults/argocd/argocd/30_argocd/00_ssh_secret.yaml @@ -3,6 +3,9 @@ kind: Secret metadata: annotations: {} labels: + argocd.argoproj.io/secret-type: repo-creds name: argo-ssh-key name: argo-ssh-key +stringData: + url: ssh://git@git.example.com/org/repo.git type: Opaque diff --git a/tests/golden/defaults/argocd/argocd/30_argocd/10_argocd.yaml b/tests/golden/defaults/argocd/argocd/30_argocd/10_argocd.yaml index c9a9a14d..f15cf007 100644 --- a/tests/golden/defaults/argocd/argocd/30_argocd/10_argocd.yaml +++ b/tests/golden/defaults/argocd/argocd/30_argocd/10_argocd.yaml @@ -27,7 +27,6 @@ spec: "operators.coreos.com/Subscription": "health.lua.useOpenLibs": true image: quay.io/argoproj/argocd - initialRepositories: '- url: ssh://git@git.example.com/org/repo.git' initialSSHKnownHosts: keys: | bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== @@ -138,11 +137,6 @@ spec: - configMap: name: kapitan-plugin-config name: kapitan-plugin-config - repositoryCredentials: | - - url: ssh://git@ - sshPrivateKeySecret: - name: argo-ssh-key - key: sshPrivateKey resourceExclusions: |- - "apiGroups": - "cilium.io" diff --git a/tests/golden/https-catalog/argocd/argocd/30_argocd/00_repo_secret.yaml b/tests/golden/https-catalog/argocd/argocd/30_argocd/00_repo_secret.yaml new file mode 100644 index 00000000..004d51dd --- /dev/null +++ b/tests/golden/https-catalog/argocd/argocd/30_argocd/00_repo_secret.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Secret +metadata: + annotations: {} + labels: + argocd.argoproj.io/secret-type: repository + name: cluster-catalog + name: cluster-catalog +stringData: + type: git + url: https://git.example.com/cluster-catalog.git +type: Opaque diff --git a/tests/golden/https-catalog/argocd/argocd/30_argocd/10_argocd.yaml b/tests/golden/https-catalog/argocd/argocd/30_argocd/10_argocd.yaml index 78b5184b..f15cf007 100644 --- a/tests/golden/https-catalog/argocd/argocd/30_argocd/10_argocd.yaml +++ b/tests/golden/https-catalog/argocd/argocd/30_argocd/10_argocd.yaml @@ -27,7 +27,6 @@ spec: "operators.coreos.com/Subscription": "health.lua.useOpenLibs": true image: quay.io/argoproj/argocd - initialRepositories: '- url: https://git.example.com/cluster-catalog.git' initialSSHKnownHosts: keys: | bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== @@ -138,14 +137,6 @@ spec: - configMap: name: kapitan-plugin-config name: kapitan-plugin-config - repositoryCredentials: | - - url: https://git.example.com/cluster-catalog.git - usernameSecret: - name: catalog-http-credentials - key: username - passwordSecret: - name: catalog-http-credentials - key: password resourceExclusions: |- - "apiGroups": - "cilium.io" diff --git a/tests/golden/openshift/argocd/argocd/30_argocd/00_repo_secret.yaml b/tests/golden/openshift/argocd/argocd/30_argocd/00_repo_secret.yaml new file mode 100644 index 00000000..f4e28355 --- /dev/null +++ b/tests/golden/openshift/argocd/argocd/30_argocd/00_repo_secret.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Secret +metadata: + annotations: {} + labels: + argocd.argoproj.io/secret-type: repository + name: cluster-catalog + name: cluster-catalog +stringData: + type: git + url: ssh://git@git.example.com/org/repo.git +type: Opaque diff --git a/tests/golden/openshift/argocd/argocd/30_argocd/00_ssh_secret.yaml b/tests/golden/openshift/argocd/argocd/30_argocd/00_ssh_secret.yaml index cec56897..b8ef6184 100644 --- a/tests/golden/openshift/argocd/argocd/30_argocd/00_ssh_secret.yaml +++ b/tests/golden/openshift/argocd/argocd/30_argocd/00_ssh_secret.yaml @@ -3,6 +3,9 @@ kind: Secret metadata: annotations: {} labels: + argocd.argoproj.io/secret-type: repo-creds name: argo-ssh-key name: argo-ssh-key +stringData: + url: ssh://git@git.example.com/org/repo.git type: Opaque diff --git a/tests/golden/openshift/argocd/argocd/30_argocd/10_argocd.yaml b/tests/golden/openshift/argocd/argocd/30_argocd/10_argocd.yaml index 719f3c06..ed5683b0 100644 --- a/tests/golden/openshift/argocd/argocd/30_argocd/10_argocd.yaml +++ b/tests/golden/openshift/argocd/argocd/30_argocd/10_argocd.yaml @@ -27,7 +27,6 @@ spec: "operators.coreos.com/Subscription": "health.lua.useOpenLibs": true image: quay.io/argoproj/argocd - initialRepositories: '- url: ssh://git@git.example.com/org/repo.git' initialSSHKnownHosts: keys: | bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== @@ -141,11 +140,6 @@ spec: - configMap: name: kapitan-plugin-config name: kapitan-plugin-config - repositoryCredentials: | - - url: ssh://git@ - sshPrivateKeySecret: - name: argo-ssh-key - key: sshPrivateKey resourceExclusions: |- - "apiGroups": - "cilium.io" diff --git a/tests/golden/params/argocd/argocd/30_argocd/00_repo_secret.yaml b/tests/golden/params/argocd/argocd/30_argocd/00_repo_secret.yaml new file mode 100644 index 00000000..f4e28355 --- /dev/null +++ b/tests/golden/params/argocd/argocd/30_argocd/00_repo_secret.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Secret +metadata: + annotations: {} + labels: + argocd.argoproj.io/secret-type: repository + name: cluster-catalog + name: cluster-catalog +stringData: + type: git + url: ssh://git@git.example.com/org/repo.git +type: Opaque diff --git a/tests/golden/params/argocd/argocd/30_argocd/00_ssh_secret.yaml b/tests/golden/params/argocd/argocd/30_argocd/00_ssh_secret.yaml index cec56897..b8ef6184 100644 --- a/tests/golden/params/argocd/argocd/30_argocd/00_ssh_secret.yaml +++ b/tests/golden/params/argocd/argocd/30_argocd/00_ssh_secret.yaml @@ -3,6 +3,9 @@ kind: Secret metadata: annotations: {} labels: + argocd.argoproj.io/secret-type: repo-creds name: argo-ssh-key name: argo-ssh-key +stringData: + url: ssh://git@git.example.com/org/repo.git type: Opaque diff --git a/tests/golden/params/argocd/argocd/30_argocd/10_argocd.yaml b/tests/golden/params/argocd/argocd/30_argocd/10_argocd.yaml index 13652378..b3aa918b 100644 --- a/tests/golden/params/argocd/argocd/30_argocd/10_argocd.yaml +++ b/tests/golden/params/argocd/argocd/30_argocd/10_argocd.yaml @@ -21,7 +21,6 @@ spec: "operators.coreos.com/Subscription": "health.lua.useOpenLibs": true image: quay.io/argoproj/argocd - initialRepositories: '- url: ssh://git@git.example.com/org/repo.git' initialSSHKnownHosts: keys: | bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== @@ -117,11 +116,6 @@ spec: - configMap: name: kapitan-plugin-config name: kapitan-plugin-config - repositoryCredentials: | - - url: ssh://git@ - sshPrivateKeySecret: - name: argo-ssh-key - key: sshPrivateKey resourceExclusions: |- - "apiGroups": - "cilium.io" diff --git a/tests/golden/prometheus/argocd/argocd/30_argocd/00_repo_secret.yaml b/tests/golden/prometheus/argocd/argocd/30_argocd/00_repo_secret.yaml new file mode 100644 index 00000000..f4e28355 --- /dev/null +++ b/tests/golden/prometheus/argocd/argocd/30_argocd/00_repo_secret.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Secret +metadata: + annotations: {} + labels: + argocd.argoproj.io/secret-type: repository + name: cluster-catalog + name: cluster-catalog +stringData: + type: git + url: ssh://git@git.example.com/org/repo.git +type: Opaque diff --git a/tests/golden/prometheus/argocd/argocd/30_argocd/00_ssh_secret.yaml b/tests/golden/prometheus/argocd/argocd/30_argocd/00_ssh_secret.yaml index cec56897..b8ef6184 100644 --- a/tests/golden/prometheus/argocd/argocd/30_argocd/00_ssh_secret.yaml +++ b/tests/golden/prometheus/argocd/argocd/30_argocd/00_ssh_secret.yaml @@ -3,6 +3,9 @@ kind: Secret metadata: annotations: {} labels: + argocd.argoproj.io/secret-type: repo-creds name: argo-ssh-key name: argo-ssh-key +stringData: + url: ssh://git@git.example.com/org/repo.git type: Opaque diff --git a/tests/golden/prometheus/argocd/argocd/30_argocd/10_argocd.yaml b/tests/golden/prometheus/argocd/argocd/30_argocd/10_argocd.yaml index c9a9a14d..f15cf007 100644 --- a/tests/golden/prometheus/argocd/argocd/30_argocd/10_argocd.yaml +++ b/tests/golden/prometheus/argocd/argocd/30_argocd/10_argocd.yaml @@ -27,7 +27,6 @@ spec: "operators.coreos.com/Subscription": "health.lua.useOpenLibs": true image: quay.io/argoproj/argocd - initialRepositories: '- url: ssh://git@git.example.com/org/repo.git' initialSSHKnownHosts: keys: | bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== @@ -138,11 +137,6 @@ spec: - configMap: name: kapitan-plugin-config name: kapitan-plugin-config - repositoryCredentials: | - - url: ssh://git@ - sshPrivateKeySecret: - name: argo-ssh-key - key: sshPrivateKey resourceExclusions: |- - "apiGroups": - "cilium.io" diff --git a/tests/golden/syn-teams/argocd/argocd/30_argocd/00_repo_secret.yaml b/tests/golden/syn-teams/argocd/argocd/30_argocd/00_repo_secret.yaml new file mode 100644 index 00000000..f4e28355 --- /dev/null +++ b/tests/golden/syn-teams/argocd/argocd/30_argocd/00_repo_secret.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Secret +metadata: + annotations: {} + labels: + argocd.argoproj.io/secret-type: repository + name: cluster-catalog + name: cluster-catalog +stringData: + type: git + url: ssh://git@git.example.com/org/repo.git +type: Opaque diff --git a/tests/golden/syn-teams/argocd/argocd/30_argocd/00_ssh_secret.yaml b/tests/golden/syn-teams/argocd/argocd/30_argocd/00_ssh_secret.yaml index cec56897..b8ef6184 100644 --- a/tests/golden/syn-teams/argocd/argocd/30_argocd/00_ssh_secret.yaml +++ b/tests/golden/syn-teams/argocd/argocd/30_argocd/00_ssh_secret.yaml @@ -3,6 +3,9 @@ kind: Secret metadata: annotations: {} labels: + argocd.argoproj.io/secret-type: repo-creds name: argo-ssh-key name: argo-ssh-key +stringData: + url: ssh://git@git.example.com/org/repo.git type: Opaque diff --git a/tests/golden/syn-teams/argocd/argocd/30_argocd/10_argocd.yaml b/tests/golden/syn-teams/argocd/argocd/30_argocd/10_argocd.yaml index c9a9a14d..f15cf007 100644 --- a/tests/golden/syn-teams/argocd/argocd/30_argocd/10_argocd.yaml +++ b/tests/golden/syn-teams/argocd/argocd/30_argocd/10_argocd.yaml @@ -27,7 +27,6 @@ spec: "operators.coreos.com/Subscription": "health.lua.useOpenLibs": true image: quay.io/argoproj/argocd - initialRepositories: '- url: ssh://git@git.example.com/org/repo.git' initialSSHKnownHosts: keys: | bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== @@ -138,11 +137,6 @@ spec: - configMap: name: kapitan-plugin-config name: kapitan-plugin-config - repositoryCredentials: | - - url: ssh://git@ - sshPrivateKeySecret: - name: argo-ssh-key - key: sshPrivateKey resourceExclusions: |- - "apiGroups": - "cilium.io"