Fix ArgoCD 3.0.0+ compatibility by replacing legacy repo credentials with proper repo-creds secret (#674)

aronreisx · web-flow · commit bd4e85f36b8f · 2025-07-02T12:09:56.000+03:00
* fix(cmd): add missing ArgoCD repository credentials during bootstrap

- Add argocdRepoCreds field to bootstrapManifests struct
- Create getArgoCDRepoCredsSecret function to generate ArgoCD-specific repo credentials
- Apply ArgoCD repo credentials secret before bootstrap manifests
- Include ArgoCD repo credentials in dry-run output
- Add comprehensive tests for ArgoCD repository credentials functionality

This ensures ArgoCD can properly authenticate with the Git repository during
the bootstrap process by creating the required argocd-repo-creds secret with
the appropriate labels and format expected by ArgoCD.

* chore(deps): bump github.com/golang-jwt/jwt/v4 to v4.5.2
* chore(deps): bump github.com/expr-lang/expr to v1.17.5

---------

Signed-off-by: Aron Reis &lt;aronreis2@gmail.com&gt;
diff --git a/cmd/commands/repo.go b/cmd/commands/repo.go
@@ -23,7 +23,6 @@ import (
 
 	argocdcommon "github.com/argoproj/argo-cd/v2/common"
 	argocdv1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
-	argocdsettings "github.com/argoproj/argo-cd/v2/util/settings"
 	"github.com/go-git/go-billy/v5/memfs"
 	billyUtils "github.com/go-git/go-billy/v5/util"
 	"github.com/spf13/cobra"
@@ -358,7 +357,7 @@ func NewRepoUninstallCommand() *cobra.Command {
 
 	<BIN> repo uninstall --repo https://github.com/example/repo --force
 `),
-		PreRunE: func(_ *cobra.Command, _ []string) error{
+		PreRunE: func(_ *cobra.Command, _ []string) error {
 			if !clusterOnly {
 				cloneOpts.Parse()
 			}
@@ -532,22 +531,28 @@ func waitClusterReady(ctx context.Context, f kube.Factory, timeout time.Duration
 	})
 }
 
-func getRepoCredsSecret(username, token, namespace string) ([]byte, error) {
+func getRepoCredsSecret(username, token, namespace, repoURL string) ([]byte, error) {
+	host, _, _, _, _, _, _ := util.ParseGitUrl(repoURL)
+
 	return yaml.Marshal(&v1.Secret{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: "v1",
 			Kind:       "Secret",
 		},
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      store.Default.RepoCredsSecretName,
+			Name:      "argocd-repo-creds",
 			Namespace: namespace,
 			Labels: map[string]string{
+				"argocd.argoproj.io/secret-type":   "repo-creds",
 				store.Default.LabelKeyAppManagedBy: store.Default.LabelValueManagedBy,
 			},
 		},
-		Data: map[string][]byte{
-			"git_username": []byte(username),
-			"git_token":    []byte(token),
+		Type: v1.SecretTypeOpaque,
+		StringData: map[string]string{
+			"type":     "git",
+			"url":      host,
+			"username": username,
+			"password": token,
 		},
 	})
 }
@@ -670,7 +675,7 @@ func buildBootstrapManifests(namespace, appSpecifier string, cloneOpts *git.Clon
 		return nil, err
 	}
 
-	manifests.repoCreds, err = getRepoCredsSecret(cloneOpts.Auth.Username, cloneOpts.Auth.Password, namespace)
+	manifests.repoCreds, err = getRepoCredsSecret(cloneOpts.Auth.Username, cloneOpts.Auth.Password, namespace, cloneOpts.URL())
 	if err != nil {
 		return nil, err
 	}
@@ -720,11 +725,6 @@ func writeManifestsToRepo(repoFS fs.FS, manifests *bootstrapManifests, installat
 }
 
 func createBootstrapKustomization(namespace, appSpecifier string, cloneOpts *git.CloneOptions) (*kusttypes.Kustomization, error) {
-	credsYAML, err := createCreds(cloneOpts.URL())
-	if err != nil {
-		return nil, err
-	}
-
 	k := &kusttypes.Kustomization{
 		Resources: []string{
 			appSpecifier,
@@ -733,19 +733,6 @@ func createBootstrapKustomization(namespace, appSpecifier string, cloneOpts *git
 			APIVersion: kusttypes.KustomizationVersion,
 			Kind:       kusttypes.KustomizationKind,
 		},
-		ConfigMapGenerator: []kusttypes.ConfigMapArgs{
-			{
-				GeneratorArgs: kusttypes.GeneratorArgs{
-					Name:     "argocd-cm",
-					Behavior: kusttypes.BehaviorMerge.String(),
-					KvPairSources: kusttypes.KvPairSources{
-						LiteralSources: []string{
-							"repository.credentials=" + string(credsYAML),
-						},
-					},
-				},
-			},
-		},
 		Namespace: namespace,
 	}
 
@@ -789,29 +776,6 @@ func createBootstrapKustomization(namespace, appSpecifier string, cloneOpts *git
 	return k, nil
 }
 
-func createCreds(repoUrl string) ([]byte, error) {
-	host, _, _, _, _, _, _ := util.ParseGitUrl(repoUrl)
-	creds := []argocdsettings.RepositoryCredentials{
-		{
-			URL: host,
-			UsernameSecret: &v1.SecretKeySelector{
-				LocalObjectReference: v1.LocalObjectReference{
-					Name: store.Default.RepoCredsSecretName,
-				},
-				Key: "git_username",
-			},
-			PasswordSecret: &v1.SecretKeySelector{
-				LocalObjectReference: v1.LocalObjectReference{
-					Name: store.Default.RepoCredsSecretName,
-				},
-				Key: "git_token",
-			},
-		},
-	}
-
-	return yaml.Marshal(creds)
-}
-
 func setUninstallOptsDefaults(opts RepoUninstallOptions) (*RepoUninstallOptions, error) {
 	var err error
 
diff --git a/cmd/commands/repo_test.go b/cmd/commands/repo_test.go
@@ -200,10 +200,14 @@ func Test_buildBootstrapManifests(t *testing.T) {
 
 				creds := &v1.Secret{}
 				assert.NoError(t, yaml.Unmarshal(b.repoCreds, &creds))
-				assert.Equal(t, store.Default.RepoCredsSecretName, creds.ObjectMeta.Name)
+				assert.Equal(t, "argocd-repo-creds", creds.ObjectMeta.Name)
 				assert.Equal(t, "foo", creds.ObjectMeta.Namespace)
-				assert.Equal(t, []byte("test"), creds.Data["git_token"])
-				assert.Equal(t, []byte(store.Default.GitHubUsername), creds.Data["git_username"])
+				assert.Equal(t, "repo-creds", creds.ObjectMeta.Labels["argocd.argoproj.io/secret-type"])
+				assert.Equal(t, store.Default.LabelValueManagedBy, creds.ObjectMeta.Labels[store.Default.LabelKeyAppManagedBy])
+				assert.Equal(t, "git", creds.StringData["type"])
+				assert.Equal(t, "https://github.com/", creds.StringData["url"])
+				assert.Equal(t, "test", creds.StringData["password"])
+				assert.Equal(t, store.Default.GitHubUsername, creds.StringData["username"])
 			},
 		},
 	}
@@ -405,6 +409,61 @@ func TestRunRepoBootstrap(t *testing.T) {
 	}
 }
 
+func Test_getRepoCredsSecret(t *testing.T) {
+	tests := map[string]struct {
+		username  string
+		token     string
+		namespace string
+		repoURL   string
+		assertFn  func(t *testing.T, secret []byte, err error)
+	}{
+		"Basic GitHub": {
+			username:  "testuser",
+			token:     "testtoken",
+			namespace: "argocd",
+			repoURL:   "https://github.com/owner/repo.git",
+			assertFn: func(t *testing.T, secretBytes []byte, err error) {
+				assert.NoError(t, err)
+
+				secret := &v1.Secret{}
+				assert.NoError(t, yaml.Unmarshal(secretBytes, secret))
+				assert.Equal(t, "argocd-repo-creds", secret.ObjectMeta.Name)
+				assert.Equal(t, "argocd", secret.ObjectMeta.Namespace)
+				assert.Equal(t, "repo-creds", secret.ObjectMeta.Labels["argocd.argoproj.io/secret-type"])
+				assert.Equal(t, store.Default.LabelValueManagedBy, secret.ObjectMeta.Labels[store.Default.LabelKeyAppManagedBy])
+				assert.Equal(t, "git", secret.StringData["type"])
+				assert.Equal(t, "https://github.com/", secret.StringData["url"])
+				assert.Equal(t, "testuser", secret.StringData["username"])
+				assert.Equal(t, "testtoken", secret.StringData["password"])
+			},
+		},
+		"GitLab": {
+			username:  "gitlabuser",
+			token:     "glpat-xxxx",
+			namespace: "custom-ns",
+			repoURL:   "https://gitlab.com/group/project.git",
+			assertFn: func(t *testing.T, secretBytes []byte, err error) {
+				assert.NoError(t, err)
+
+				secret := &v1.Secret{}
+				assert.NoError(t, yaml.Unmarshal(secretBytes, secret))
+				assert.Equal(t, "argocd-repo-creds", secret.ObjectMeta.Name)
+				assert.Equal(t, "custom-ns", secret.ObjectMeta.Namespace)
+				assert.Equal(t, "https://gitlab.com/", secret.StringData["url"])
+				assert.Equal(t, "gitlabuser", secret.StringData["username"])
+				assert.Equal(t, "glpat-xxxx", secret.StringData["password"])
+			},
+		},
+	}
+
+	for tname, tt := range tests {
+		t.Run(tname, func(t *testing.T) {
+			secret, err := getRepoCredsSecret(tt.username, tt.token, tt.namespace, tt.repoURL)
+			tt.assertFn(t, secret, err)
+		})
+	}
+}
+
 func TestRunRepoBootstrapRecovery(t *testing.T) {
 	exitCalled := false
 	tests := map[string]struct {
diff --git a/go.mod b/go.mod
@@ -92,7 +92,7 @@ require (
 	github.com/evanphx/json-patch v5.9.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.9.0 // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
-	github.com/expr-lang/expr v1.16.9 // indirect
+	github.com/expr-lang/expr v1.17.5 // indirect
 	github.com/fatih/camelcase v1.0.0 // indirect
 	github.com/fatih/color v1.16.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
@@ -121,7 +121,7 @@ require (
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gogits/go-gogs-client v0.0.0-20200905025246-8bb8a50cb355 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt/v4 v4.5.1 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/btree v1.1.3 // indirect
diff --git a/go.sum b/go.sum
@@ -223,8 +223,8 @@ github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0
 github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ=
 github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d h1:105gxyaGwCFad8crR9dcMQWvV9Hvulu6hwUh4tWPJnM=
 github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d/go.mod h1:ZZMPRZwes7CROmyNKgQzC3XPs6L/G2EJLHddWejkmf4=
-github.com/expr-lang/expr v1.16.9 h1:WUAzmR0JNI9JCiF0/ewwHB1gmcGw5wW7nWt8gc6PpCI=
-github.com/expr-lang/expr v1.16.9/go.mod h1:8/vRC7+7HBzESEqt5kKpYXxrxkr31SaO8r40VO/1IT4=
+github.com/expr-lang/expr v1.17.5 h1:i1WrMvcdLF249nSNlpQZN1S6NXuW9WaOfF5tPi3aw3k=
+github.com/expr-lang/expr v1.17.5/go.mod h1:8/vRC7+7HBzESEqt5kKpYXxrxkr31SaO8r40VO/1IT4=
 github.com/facebookgo/ensure v0.0.0-20160127193407-b4ab57deab51/go.mod h1:Yg+htXGokKKdzcwhuNDwVvN+uBxDGXJ7G/VN1d8fa64=
 github.com/facebookgo/stack v0.0.0-20160209184415-751773369052/go.mod h1:UbMTZqLaRiH3MsBH8va0n7s1pQYcu3uTb8G4tygF4Zg=
 github.com/facebookgo/subset v0.0.0-20150612182917-8dac2c3c4870/go.mod h1:5tD+neXqOorC30/tWg0LCSkrqj/AR6gu8yY8/fpw1q0=
@@ -359,8 +359,8 @@ github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zV
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
-github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo=
-github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
+github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
