Merge branch 'main' into cr-31215-31212-31211-fix-security-main-branch

Author: vasil-cf

charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml

@@ -1,17 +1,11 @@
-{{- define "cap-app-proxy.resources.configmap-documented-configs"}}
-argoCdUrl: {{ .Values.config.argoCdUrl }}
-argoCdUsername: {{ .Values.config.argoCdUsername }}
+{{- define "cap-app-proxy.resources.configmap-documented-configs" }}
 argoWorkflowsInsecure: {{ .Values.config.argoWorkflowsInsecure | quote }}
-argoWorkflowsUrl: {{ default "" .Values.config.argoWorkflowsUrl }}
+clusterChunkSize: {{ .Values.config.clusterChunkSize | quote }}
 cors: {{ .Values.global.codefresh.url }}
-  {{- with .Values.config.clusterChunkSize }} 
-clusterChunkSize: {{ . | quote }}
-  {{- end }}
-env: {{ .Values.config.env | quote}}
 isConfigurationRuntime: {{ .Values.global.runtime.isConfigurationRuntime | quote }}
 isExternalArgoCD: {{ .Values.global.runtime.isExternalArgoCD | quote }}
 runtimeName: {{ required "global.runtime.name is required" .Values.global.runtime.name | quote}}
-skipGitPermissionValidation: {{ .Values.config.skipGitPermissionValidation | quote }}
+isNamespacedRuntime: {{ .Values.global.runtime.singleNamespace | quote }}
 logLevel: {{ .Values.config.logLevel | quote }}
   {{- $enrichmentValues := get .Values "image-enrichment" }}
   {{- if $enrichmentValues.enabled }}
@@ -30,7 +24,7 @@ enrichmentJiraEnrichmentImage: {{ printf "%s/%s:%s" $enrichmentValues.config.ima
 
 {{- define "cap-app-proxy.resources.configmap" }}
 {{- $documentedConfigs := (include "cap-app-proxy.resources.configmap-documented-configs" . | fromYaml ) }}
-{{- $overrides := omit .Values.config "clusterChunkSize" }}
+{{- $overrides := omit .Values.config "argoWorkflowsInsecure" "clusterChunkSize" "cors" }}
 {{- $mergedConfig := mergeOverwrite $documentedConfigs $overrides }}
 apiVersion: v1
 kind: ConfigMap

charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml

@@ -5,9 +5,6 @@ ARGO_CD_URL:
       name: cap-app-proxy-cm
       key: argoCdUrl
       optional: true
-ARGO_CD_TOKEN: {{ include "codefresh-gitops-runtime.argocd.server.token" . | nindent 2 }}
-ARGO_CD_USERNAME: {{ include "codefresh-gitops-runtime.argocd.server.username-env-var" . | nindent 2 }}
-ARGO_CD_PASSWORD: {{ include "codefresh-gitops-runtime.argocd.server.password" . | nindent 2 }}
 ARGO_WORKFLOWS_INSECURE:
   valueFrom:
     configMapKeyRef:
@@ -224,8 +221,9 @@ LEADER_ID:
 Read defaults from the template above and merge with the values provided in values file
 */}}
 {{- define "cap-app-proxy.environment-variables" -}}
-{{- $defaults := (include "cap-app-proxy.environment-variables.defaults" . | fromYaml) }}
-{{- $overrides := .Values.env }}
-{{- $mergedValues := mergeOverwrite $defaults $overrides }}
-{{- include "codefresh-gitops-runtime.components.common_helpers.container-templates.env-vars" $mergedValues }}
+  {{- $defaults := (include "cap-app-proxy.environment-variables.defaults" . | fromYaml) }}
+  {{- $argoCdAuth := (include "codefresh-gitops-runtime.argocd-auth" . | fromYaml) }}
+  {{- $overrides := .Values.env }}
+  {{- $mergedValues := mergeOverwrite $defaults $argoCdAuth $overrides }}
+  {{- include "codefresh-gitops-runtime.components.common_helpers.container-templates.env-vars" $mergedValues }}
 {{- end -}}

charts/gitops-runtime/templates/_components/cf-argocd-extras/_default-values.tpl

@@ -1,4 +1,5 @@
 {{- define "cf-argocd-extras.default-values" }}
+  {{- $argoCdAuth := (include "codefresh-gitops-runtime.argocd-token-auth" . | fromYaml) }}
 global: {}
 
 externalRedis:
@@ -84,8 +85,7 @@ eventReporter:
             name: argocd-cmd-params-cm
             key: server.rootpath
             optional: true
-      ARGO_CD_TOKEN_SECRET_NAME: argocd-token
-      ARGO_CD_TOKEN_SECRET_KEY: token
+{{ $argoCdAuth | toYaml | indent 6 }}
       BINARY_NAME: event-reporter
       CODEFRESH_SSL_CERT_PATH: ""
       CODEFRESH_TLS_INSECURE:
@@ -392,8 +392,7 @@ sourcesServer:
           configMapKeyRef:
             name: sources-server-cmd-params-cm
             key: argocd.server
-      ARGO_CD_TOKEN_SECRET_NAME: argocd-token
-      ARGO_CD_TOKEN_SECRET_KEY: token
+{{ $argoCdAuth | toYaml | indent 6}}
       ARGOCD_SERVER_ROOTPATH:
         valueFrom:
           configMapKeyRef:

charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_statefulset.yaml

@@ -15,16 +15,6 @@
   {{- $_ := set $context.Values.container.env.REDIS_PASSWORD.valueFrom.secretKeyRef "key"  (default "redis-password" $vals.externalRedis.existingSecretKeyRef.key) }}
 {{- end }}
 
-{{- if and (eq (index $context.Values "global" "external-argo-cd" "auth" "type") "token") }}
-  {{- if not (index $context.Values "global" "external-argo-cd" "auth" "token") }}
-      {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_NAME" (required ".Values.global.external-argo-cd.auth.type is set to 'token' therefore .Values.global.external-argo-cd.auth.tokenSecretKeyRef.name is required" (index $context.Values "global" "external-argo-cd" "auth" "tokenSecretKeyRef" "name")) }}
-      {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_KEY" (required ".Values.global.external-argo-cd.auth.type is set to 'token' therefore .Values.global.external-argo-cd.auth.tokenSecretKeyRef.key is required" (index $context.Values "global" "external-argo-cd" "auth" "tokenSecretKeyRef" "key" )) }}
-  {{- else }}
-      {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_NAME" "gitops-runtime-argo-cd-token" }}
-      {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_KEY" "token" }}
-  {{- end }}
-{{- end }}
-
 {{- if and (index $context.Values "global" "external-argo-cd" "server" "rootpath") }}
   {{- $_ := set $context.Values.container.env "ARGOCD_SERVER_ROOTPATH" (index $context.Values "global" "external-argo-cd" "server" "rootpath") }}
 {{- end }}

charts/gitops-runtime/templates/_components/cf-argocd-extras/sources-server/_deployment.yaml

@@ -15,16 +15,6 @@
   {{- $_ := set $context.Values.container.env.REDIS_PASSWORD.valueFrom.secretKeyRef "key"  (default "redis-password" $vals.externalRedis.existingSecretKeyRef.key) }}
 {{- end }}
 
-{{- if and (eq (index $context.Values "global" "external-argo-cd" "auth" "type") "token") }}
-  {{- if not (index $context.Values "global" "external-argo-cd" "auth" "token") }}
-      {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_NAME" (required ".Values.global.external-argo-cd.auth.type is set to 'token' therefore .Values.global.external-argo-cd.auth.tokenSecretKeyRef.name is required" (index $context.Values "global" "external-argo-cd" "auth" "tokenSecretKeyRef" "name")) }}
-      {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_KEY" (required ".Values.global.external-argo-cd.auth.type is set to 'token' therefore .Values.global.external-argo-cd.auth.tokenSecretKeyRef.key is required" (index $context.Values "global" "external-argo-cd" "auth" "tokenSecretKeyRef" "key" )) }}
-  {{- else }}
-      {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_NAME" "gitops-runtime-argo-cd-token" }}
-      {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_KEY" "token" }}
-  {{- end }}
-{{- end }}
-
 {{- if and (index $context.Values "global" "external-argo-cd" "server" "rootpath") }}
   {{- $_ := set $context.Values.container.env "ARGOCD_SERVER_ROOTPATH" (index $context.Values "global" "external-argo-cd" "server" "rootpath") }}
 {{- end }}

charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml

@@ -3,33 +3,36 @@ Some environment variables are determined by values provided in other components
 to keep the separation of components as pseudo library charts, they are defined here to be merged when components are generated.
 */}}
 {{- define "gitops-operator.resources.environment-variables.calculated" }}
+  {{- include "codefresh-gitops-runtime.argocd-token-auth" . }}
   {{/* if custom certificates are provided */}}
   {{- if .Values.global.codefresh.tls.caCerts.secretKeyRef }}
 CF_CA_CERT: {{ printf "/app/config/codefresh-tls/%s" .Values.global.codefresh.tls.caCerts.secretKeyRef.key  }}
   {{- end }}
 CF_URL: {{ .Values.global.codefresh.url }}
+COMMIT_STATUS_POLLING_INTERVAL: {{ .Values.config.commitStatusPollingInterval }}
 GITOPS_OPERATOR_VERSION: {{ .Values.image.tag }}
+  {{- if (gt (int .Values.replicaCount) 1 ) }}
+LEADER_ELECT: true
+  {{- else }}
+LEADER_ELECT: false
+  {{- end }}
+MAX_CONCURRENT_RELEASES: {{ .Values.config.maxConcurrentReleases }}
+PROMOTION_WRAPPER_TEMPLATE: {{ .Values.config.promotionWrapperTemplate | quote }}
 RUNTIME: {{ .Values.global.runtime.name }}
 TASK_POLLING_INTERVAL: {{ .Values.config.taskPollingInterval }}
-COMMIT_STATUS_POLLING_INTERVAL: {{ .Values.config.commitStatusPollingInterval }}
 WORKFLOW_MONITOR_POLLING_INTERVAL: {{ .Values.config.workflowMonitorPollingInterval }}
-MAX_CONCURRENT_RELEASES: {{ .Values.config.maxConcurrentReleases }}
-PROMOTION_WRAPPER_TEMPLATE: {{ .Values.config.promotionWrapperTemplate | quote }}
 {{- end }}
 
 {{- define "gitops-operator.resources.environment-variables.defaults" -}}
 AP_URL: http://cap-app-proxy:3017
 ARGO_CD_URL: argo-cd-server:80
-ARGO_CD_TOKEN_SECRET_NAME: argocd-token
-ARGO_CD_TOKEN_SECRET_KEY: token
 ARGO_WF_URL: http://argo-server:2746
 CF_TOKEN:
   valueFrom:
     secretKeyRef:
       name: codefresh-token
       key: token
 HEALTH_PROBE_BIND_ADDRESS: :8081
-LEADER_ELECT: true
 METRICS_BIND_ADDRESS: :8080
 METRICS_SECURE: false
 NAMESPACE:

charts/gitops-runtime/templates/_components/gitops-operator/crds/promotiontasks.yaml

@@ -258,6 +258,13 @@ spec:
                           additionalProperties:
                             type: string
                           type: object
+                        stage:
+                          type: string
+                        uid:
+                          maxLength: 36
+                          minLength: 36
+                          pattern: ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$
+                          type: string
                         workflowTemplateName:
                           maxLength: 253
                           minLength: 1
@@ -526,9 +533,12 @@ spec:
                                 description: NodePhase is a label for the condition
                                   of a node at the current time.
                                 type: string
+                              templateName:
+                                type: string
                             required:
                             - name
                             - phase
+                            - templateName
                             type: object
                           type: array
                         phase: