From b50ddccf55cdb303e872000c53750742dda5dfa0 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Wed, 1 Oct 2025 14:05:10 +0300 Subject: [PATCH 01/11] fix: update app-proxy image tags to 1.3798.0 fix: app-proxy does not monitor and re-create the argocd-token if it was already created before the Pod started (https://github.com/codefresh-io/argo-platform/pull/6710) --- charts/gitops-runtime/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index 2da706db..9d96db10 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -564,14 +564,14 @@ app-proxy: tag: 1.1.16-main image: repository: quay.io/codefresh/cap-app-proxy - tag: 1.3791.0 + tag: 1.3798.0 pullPolicy: IfNotPresent # -- Extra volume mounts for main container extraVolumeMounts: [] initContainer: image: repository: quay.io/codefresh/cap-app-proxy-init - tag: 1.3791.0 + tag: 1.3798.0 pullPolicy: IfNotPresent command: - ./init.sh From 0394f0514a9bc0979f2bf89af9424bb7e69a540f Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Wed, 1 Oct 2025 13:33:51 +0300 Subject: [PATCH 02/11] inject username/password OR token into app-proxy env --- .../_components/cap-app-proxy/_config.yaml | 13 +- .../_main-container.yaml | 12 +- .../event-reporter/_statefulset.yaml | 15 +- .../sources-server/_deployment.yaml | 15 +- charts/gitops-runtime/templates/_helpers.tpl | 142 ++++++------------ .../templates/app-proxy/config.yaml | 6 +- .../app-proxy/external-argocd-token.yaml | 4 +- .../templates/gitops-operator/deployment.yaml | 37 ++--- .../tests/external_argocd_test.yaml | 132 ++++++++++++---- .../tests/values/external-argocd-values.yaml | 14 -- charts/gitops-runtime/values.yaml | 4 +- scripts/helm-unittests.sh | 2 +- 12 files changed, 205 insertions(+), 191 deletions(-) diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml index 7751eb84..9937ed42 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml @@ -1,16 +1,11 @@ -{{- define "cap-app-proxy.resources.configmap-documented-configs"}} -argoCdUrl: {{ .Values.config.argoCdUrl }} -argoCdUsername: {{ .Values.config.argoCdUsername }} +{{- define "cap-app-proxy.resources.configmap-documented-configs" }} argoWorkflowsInsecure: {{ .Values.config.argoWorkflowsInsecure | quote }} -argoWorkflowsUrl: {{ default "" .Values.config.argoWorkflowsUrl }} +clusterChunkSize: {{ .Values.config.clusterChunkSize | quote }} cors: {{ .Values.global.codefresh.url }} - {{- with .Values.config.clusterChunkSize }} -clusterChunkSize: {{ . | quote }} - {{- end }} -env: {{ .Values.config.env | quote}} isConfigurationRuntime: {{ .Values.global.runtime.isConfigurationRuntime | quote }} isExternalArgoCD: {{ .Values.global.runtime.isExternalArgoCD | quote }} runtimeName: {{ required "global.runtime.name is required" .Values.global.runtime.name | quote}} +isNamespacedRuntime: {{ .Values.global.runtime.singleNamespace | quote }} skipGitPermissionValidation: {{ .Values.config.skipGitPermissionValidation | quote }} logLevel: {{ .Values.config.logLevel | quote }} {{- $enrichmentValues := get .Values "image-enrichment" }} @@ -30,7 +25,7 @@ enrichmentJiraEnrichmentImage: {{ printf "%s/%s:%s" $enrichmentValues.config.ima {{- define "cap-app-proxy.resources.configmap" }} {{- $documentedConfigs := (include "cap-app-proxy.resources.configmap-documented-configs" . | fromYaml ) }} -{{- $overrides := omit .Values.config "clusterChunkSize" }} +{{- $overrides := omit .Values.config "argoWorkflowsInsecure" "clusterChunkSize" "cors" "singleNamespace" "skipGitPermissionValidation" }} {{- $mergedConfig := mergeOverwrite $documentedConfigs $overrides }} apiVersion: v1 kind: ConfigMap diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml index f59f769e..a19430d5 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/environment-variables/_main-container.yaml @@ -5,9 +5,6 @@ ARGO_CD_URL: name: cap-app-proxy-cm key: argoCdUrl optional: true -ARGO_CD_TOKEN: {{ include "codefresh-gitops-runtime.argocd.server.token" . | nindent 2 }} -ARGO_CD_USERNAME: {{ include "codefresh-gitops-runtime.argocd.server.username-env-var" . | nindent 2 }} -ARGO_CD_PASSWORD: {{ include "codefresh-gitops-runtime.argocd.server.password" . | nindent 2 }} ARGO_WORKFLOWS_INSECURE: valueFrom: configMapKeyRef: @@ -224,8 +221,9 @@ LEADER_ID: Read defaults from the template above and merge with the values provided in values file */}} {{- define "cap-app-proxy.environment-variables" -}} -{{- $defaults := (include "cap-app-proxy.environment-variables.defaults" . | fromYaml) }} -{{- $overrides := .Values.env }} -{{- $mergedValues := mergeOverwrite $defaults $overrides }} -{{- include "codefresh-gitops-runtime.components.common_helpers.container-templates.env-vars" $mergedValues }} + {{- $defaults := (include "cap-app-proxy.environment-variables.defaults" . | fromYaml) }} + {{- $argoCdAuth := (include "codefresh-gitops-runtime.argocd-auth" . | fromYaml) }} + {{- $overrides := .Values.env }} + {{- $mergedValues := mergeOverwrite $defaults $argoCdAuth $overrides }} + {{- include "codefresh-gitops-runtime.components.common_helpers.container-templates.env-vars" $mergedValues }} {{- end -}} diff --git a/charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_statefulset.yaml b/charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_statefulset.yaml index ccbadd63..3d2d2031 100644 --- a/charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_statefulset.yaml +++ b/charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_statefulset.yaml @@ -15,13 +15,16 @@ {{- $_ := set $context.Values.container.env.REDIS_PASSWORD.valueFrom.secretKeyRef "key" (default "redis-password" $vals.externalRedis.existingSecretKeyRef.key) }} {{- end }} -{{- if and (eq (index $context.Values "global" "external-argo-cd" "auth" "type") "token") }} - {{- if not (index $context.Values "global" "external-argo-cd" "auth" "token") }} - {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_NAME" (required ".Values.global.external-argo-cd.auth.type is set to 'token' therefore .Values.global.external-argo-cd.auth.tokenSecretKeyRef.name is required" (index $context.Values "global" "external-argo-cd" "auth" "tokenSecretKeyRef" "name")) }} - {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_KEY" (required ".Values.global.external-argo-cd.auth.type is set to 'token' therefore .Values.global.external-argo-cd.auth.tokenSecretKeyRef.key is required" (index $context.Values "global" "external-argo-cd" "auth" "tokenSecretKeyRef" "key" )) }} +{{- $argoCdAuth := (index .Values "global" "external-argo-cd" "auth") }} +{{- if (eq $argoCdAuth.type "token") }} + {{- if $argoCdAuth.token }} + {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_NAME" "gitops-runtime-argo-cd-token" }} + {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_KEY" "token" }} + {{- else if $argoCdAuth.tokenSecretKeyRef }} + {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_NAME" (required ".Values.global.external-argo-cd.auth.type is set to 'token' therefore .Values.global.external-argo-cd.auth.tokenSecretKeyRef.name is required" $argoCdAuth.tokenSecretKeyRef.name) }} + {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_KEY" (required ".Values.global.external-argo-cd.auth.type is set to 'token' therefore .Values.global.external-argo-cd.auth.tokenSecretKeyRef.key is required" $argoCdAuth.tokenSecretKeyRef.key) }} {{- else }} - {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_NAME" "gitops-runtime-argo-cd-token" }} - {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_KEY" "token" }} + {{ fail ".Values.global.external-argo-cd.auth.type is 'token' and .Values.global.external-argo-cd.auth.token or .Values.global.external-argo-cd.auth.tokenSecretKeyRef are not set" }} {{- end }} {{- end }} diff --git a/charts/gitops-runtime/templates/_components/cf-argocd-extras/sources-server/_deployment.yaml b/charts/gitops-runtime/templates/_components/cf-argocd-extras/sources-server/_deployment.yaml index 16c67b92..16a38003 100644 --- a/charts/gitops-runtime/templates/_components/cf-argocd-extras/sources-server/_deployment.yaml +++ b/charts/gitops-runtime/templates/_components/cf-argocd-extras/sources-server/_deployment.yaml @@ -15,13 +15,16 @@ {{- $_ := set $context.Values.container.env.REDIS_PASSWORD.valueFrom.secretKeyRef "key" (default "redis-password" $vals.externalRedis.existingSecretKeyRef.key) }} {{- end }} -{{- if and (eq (index $context.Values "global" "external-argo-cd" "auth" "type") "token") }} - {{- if not (index $context.Values "global" "external-argo-cd" "auth" "token") }} - {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_NAME" (required ".Values.global.external-argo-cd.auth.type is set to 'token' therefore .Values.global.external-argo-cd.auth.tokenSecretKeyRef.name is required" (index $context.Values "global" "external-argo-cd" "auth" "tokenSecretKeyRef" "name")) }} - {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_KEY" (required ".Values.global.external-argo-cd.auth.type is set to 'token' therefore .Values.global.external-argo-cd.auth.tokenSecretKeyRef.key is required" (index $context.Values "global" "external-argo-cd" "auth" "tokenSecretKeyRef" "key" )) }} +{{- $argoCdAuth := (index .Values "global" "external-argo-cd" "auth") }} +{{- if (eq $argoCdAuth.type "token") }} + {{- if $argoCdAuth.token }} + {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_NAME" "gitops-runtime-argo-cd-token" }} + {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_KEY" "token" }} + {{- else if $argoCdAuth.tokenSecretKeyRef }} + {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_NAME" (required ".Values.global.external-argo-cd.auth.type is set to 'token' therefore .Values.global.external-argo-cd.auth.tokenSecretKeyRef.name is required" $argoCdAuth.tokenSecretKeyRef.name) }} + {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_KEY" (required ".Values.global.external-argo-cd.auth.type is set to 'token' therefore .Values.global.external-argo-cd.auth.tokenSecretKeyRef.key is required" $argoCdAuth.tokenSecretKeyRef.key) }} {{- else }} - {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_NAME" "gitops-runtime-argo-cd-token" }} - {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_KEY" "token" }} + {{ fail ".Values.global.external-argo-cd.auth.type is 'token' and .Values.global.external-argo-cd.auth.token or .Values.global.external-argo-cd.auth.tokenSecretKeyRef are not set" }} {{- end }} {{- end }} diff --git a/charts/gitops-runtime/templates/_helpers.tpl b/charts/gitops-runtime/templates/_helpers.tpl index 693878f4..01b59c26 100644 --- a/charts/gitops-runtime/templates/_helpers.tpl +++ b/charts/gitops-runtime/templates/_helpers.tpl @@ -94,7 +94,7 @@ Determine argocd repo server service name. Must be called with chart root contex */}} {{- define "codefresh-gitops-runtime.argocd.reposerver.servicename" -}} {{/* For now use template from ArgoCD chart until better approach */}} - {{- if and (index .Subcharts "argo-cd") }} + {{- if (index .Subcharts "argo-cd") }} {{- template "argo-cd.repoServer.fullname" (dict "Values" (get .Values "argo-cd") "Release" .Release ) }} {{- else }} {{- $repoServer := index .Values "global" "external-argo-cd" "repoServer" }} @@ -108,7 +108,7 @@ Determine argocd argocd repo server port */}} {{- define "codefresh-gitops-runtime.argocd.reposerver.serviceport" -}} {{/* For now use template from ArgoCD chart until better approach */}} - {{- if and (index .Subcharts "argo-cd") }} + {{- if (index .Subcharts "argo-cd") }} {{- index .Values "argo-cd" "repoServer" "service" "port" }} {{- else }} {{- $repoServer := index .Values "global" "external-argo-cd" "repoServer" }} @@ -123,11 +123,11 @@ Determine argocd repoServer url */}} {{- define "codefresh-gitops-runtime.argocd.reposerver.url" -}} {{- $argoCDValues := (get .Values "argo-cd") }} -{{- if and (index .Values "argo-cd" "enabled") }} +{{- if (index .Values "argo-cd" "enabled") }} {{- $serviceName := include "codefresh-gitops-runtime.argocd.reposerver.servicename" . }} {{- $port := include "codefresh-gitops-runtime.argocd.reposerver.serviceport" . }} {{- printf "%s:%s" $serviceName $port }} -{{- else if and (index .Values "global" "external-argo-cd" "repoServer") }} +{{- else if (index .Values "global" "external-argo-cd" "repoServer") }} {{- $repoServer := (index .Values "global" "external-argo-cd" "repoServer") }} {{- $svc := required "ArgoCD is not enabled and .Values.global.external-argo-cd.repoServer.svc is not set" $repoServer.svc }} {{- $port := required "ArgoCD is not enabled and .Values.global.external-argo-cd.repoServer.port is not set" $repoServer.port }} @@ -150,7 +150,7 @@ Determine argocd servicename. Must be called with chart root context Determine rollouts name */}} {{- define "codefresh-gitops-runtime.argo-rollouts.name" -}} - {{- if and (index .Values "argo-rollouts" "enabled") }} + {{- if (index .Values "argo-rollouts" "enabled") }} {{/* For now use template from rollouts chart until better approach */}} {{- template "argo-rollouts.fullname" (dict "Values" (get .Values "argo-rollouts")) }} {{- else }} @@ -190,7 +190,7 @@ Determine argocd redis service port. Must be called with chart root context Determine argocd server url. Must be called with chart root context */}} {{- define "codefresh-gitops-runtime.argocd.server.url" -}} - {{- if and (index .Values "argo-cd" "enabled") }} + {{- if (index .Values "argo-cd" "enabled") }} {{- $protocol := "https" }} {{- $port := include "codefresh-gitops-runtime.argocd.server.serviceport" . }} {{- if (eq $port "80") }} @@ -198,13 +198,13 @@ Determine argocd server url. Must be called with chart root context {{- end }} {{- $url := include "codefresh-gitops-runtime.argocd.server.no-protocol-url" . }} {{- printf "%s://%s" $protocol $url }} - {{- else if and (index .Values "global" "external-argo-cd" "server") }} + {{- else if (index .Values "global" "external-argo-cd" "server") }} {{- $argoCDSrv := (index .Values "global" "external-argo-cd" "server") }} {{- $protocol := "http" }} {{- $svc := required "ArgoCD is not enabled and .Values.global.external-argo-cd.server.svc is not set" $argoCDSrv.svc }} {{- $port := (required "ArgoCD is not enabled and .Values.global.external-argo-cd.server.port is not port" $argoCDSrv.port) | toString }} {{- $rootpath := (index .Values "global" "external-argo-cd" "server" "rootpath") }} - {{- if and (eq $port "80") }} + {{- if (eq $port "80") }} {{- printf "%s://%s%s" $protocol $svc $rootpath }} {{- else }} {{- printf "%s://%s:%s%s" $protocol $svc $port $rootpath }} @@ -219,12 +219,12 @@ Determine argocd server url witout the protocol. Must be called with chart root */}} {{- define "codefresh-gitops-runtime.argocd.server.no-protocol-url" -}} {{- $argoCDValues := (get .Values "argo-cd") }} -{{- if and (index .Values "argo-cd" "enabled") }} +{{- if (index .Values "argo-cd" "enabled") }} {{- $serverName := include "codefresh-gitops-runtime.argocd.server.servicename" . }} {{- $port := include "codefresh-gitops-runtime.argocd.server.serviceport" . }} {{- $path := (get $argoCDValues.configs.params "server.rootpath") }} {{- printf "%s:%s%s" $serverName $port $path }} -{{- else if and (index .Values "global" "external-argo-cd" "server") }} +{{- else if (index .Values "global" "external-argo-cd" "server") }} {{- $argoCDSrv := (index .Values "global" "external-argo-cd" "server") }} {{- $svc := required "ArgoCD is not enabled and .Values.global.external-argo-cd.server.svc is not set" $argoCDSrv.svc }} {{- $port := required "ArgoCD is not enabled and .Values.global.external-argo-cd.server.port is not set" $argoCDSrv.port }} @@ -235,95 +235,49 @@ Determine argocd server url witout the protocol. Must be called with chart root {{- end }} {{- end}} -{{/* -Determine argocd server password. -*/}} -{{- define "codefresh-gitops-runtime.argocd.server.password" }} - {{- if and (index .Values "argo-cd" "enabled") }} -valueFrom: - secretKeyRef: - name: argocd-initial-admin-secret - key: password - {{- else if and (eq (index .Values "global" "external-argo-cd" "auth" "type") "password") (index .Values "global" "external-argo-cd" "auth" "passwordSecretKeyRef") }} -valueFrom: - secretKeyRef: -{{- index .Values "global" "external-argo-cd" "auth" "passwordSecretKeyRef" | toYaml | nindent 4 }} - {{- else if and (eq (index .Values "global" "external-argo-cd" "auth" "type") "password") (index .Values "global" "external-argo-cd" "auth" "password") }} -valueFrom: - secretKeyRef: - name: gitops-runtime-argo-cd-password - key: token - {{- else if and (eq (index .Values "global" "external-argo-cd" "auth" "type") "token") (index .Values "global" "external-argo-cd" "auth" "token") }} -valueFrom: - secretKeyRef: - name: gitops-runtime-argo-cd-token - key: token - {{- else if and (eq (index .Values "global" "external-argo-cd" "auth" "type") "token") (index .Values "global" "external-argo-cd" "auth" "tokenSecretKeyRef") }} -valueFrom: - secretKeyRef: -{{- index .Values "global" "external-argo-cd" "auth" "tokenSecretKeyRef" | toYaml | nindent 4 }} - optional: true - {{- else }} -{{ fail "ArgoCD is not enabled and .Values.global.external-argo-cd.auth.password or .Values.global.external-argo-cd.auth.passwordSecretKeyRef is not set" }} - {{- end }} -{{- end }} - - -{{/* -Determine argocd token password. -*/}} -{{- define "codefresh-gitops-runtime.argocd.server.token" }} - {{- if and (eq (index .Values "global" "external-argo-cd" "auth" "type") "token") (index .Values "global" "external-argo-cd" "auth" "tokenSecretKeyRef" "name") (index .Values "global" "external-argo-cd" "auth" "tokenSecretKeyRef" "key")}} -valueFrom: - secretKeyRef: -{{- index .Values "global" "external-argo-cd" "auth" "tokenSecretKeyRef" | toYaml | nindent 4 }} - {{- else if and (eq (index .Values "global" "external-argo-cd" "auth" "type") "token") (index .Values "global" "external-argo-cd" "auth" "token") }} -valueFrom: - secretKeyRef: - name: gitops-runtime-argo-cd-token - key: token - {{- else if or (eq (index .Values "global" "external-argo-cd" "auth" "type") "password") }} -valueFrom: - secretKeyRef: - name: argocd-token - key: token - optional: true - {{- else }} - {{ fail (printf "Invalid value for .Values.global.external-argo-cd.auth.type: %s. Allowed values are: [password token]" (index .Values "global" "external-argo-cd" "auth" "type")) }} - {{- end }} -{{- end }} - -{{/* -Determine argocd server password. -*/}} -{{- define "codefresh-gitops-runtime.argocd.server.username-env-var" }} - {{- if and (index .Values "argo-cd" "enabled") }} -valueFrom: - configMapKeyRef: - name: cap-app-proxy-cm - key: argoCdUsername - optional: true - {{- else if and (index .Values "global" "external-argo-cd" "auth" "usernameSecretKeyRef") }} -valueFrom: - secretKeyRef: -{{- index .Values "global" "external-argo-cd" "auth" "usernameSecretKeyRef" | toYaml | nindent 4 }} - {{- else if and (index .Values "global" "external-argo-cd" "auth" "username") }} -{{- printf "%s" (index .Values "global" "external-argo-cd" "auth" "username") }} +{{- define "codefresh-gitops-runtime.argocd-auth" -}} + {{- $authValues := (index .Values "global" "external-argo-cd" "auth") }} + {{- if (eq $authValues.type "password") }} +ARGO_CD_USERNAME: + valueFrom: + configMapKeyRef: + name: cap-app-proxy-cm + key: argoCdUsername +ARGO_CD_PASSWORD: + valueFrom: + secretKeyRef: + {{- if $authValues.password }} + name: gitops-runtime-argo-cd-password + key: token + {{- else if $authValues.passwordSecretKeyRef }} + {{- $authValues.passwordSecretKeyRef | toYaml | nindent 6 }} + {{- end }} + {{- else if (eq $authValues.type "token") }} +ARGO_CD_TOKEN: + valueFrom: + secretKeyRef: + {{- if $authValues.token }} + name: gitops-runtime-argo-cd-token + key: token + {{- else if $authValues.tokenSecretKeyRef }} + {{- if and (hasKey $authValues.tokenSecretKeyRef "name") (hasKey $authValues.tokenSecretKeyRef "key") }} + {{- $authValues.tokenSecretKeyRef | toYaml | nindent 6 }} + {{- else }} + {{- fail "Both 'name' and 'key' must be set in .Values.global.external-argo-cd.auth.tokenSecretKeyRef" }} + {{- end }} + {{- end }} {{- else }} -{{ fail "ArgoCD is not enabled and .Values.global.external-argo-cd.auth.username or .Values.global.external-argo-cd.auth.usernameSecretKeyRef is not set" }} + {{ fail (printf "Invalid value for .Values.global.external-argo-cd.auth.type: %s. Allowed values are: [password token]" $authValues.type) }} {{- end }} {{- end }} {{/* -Determine argocd server password. +Determine argocd server username ConfigMap. */}} {{- define "codefresh-gitops-runtime.argocd.server.username-cm" }} - {{- if and (index .Values "argo-cd" "enabled") }} - {{- printf "%s" (index .Values "app-proxy" "config" "argoCdUsername") }} - {{- else if and (index .Values "global" "external-argo-cd" "auth" "username") }} - {{- printf "%s" (index .Values "global" "external-argo-cd" "auth" "username") }} - {{- else }} - {{- fail "ArgoCD is not enabled and .Values.global.external-argo-cd.auth.username is not set" }} + {{- $externalArgoCDValues := (index .Values "global" "external-argo-cd" "auth") }} + {{- if (eq $externalArgoCDValues.type "password") }} + {{- coalesce (index .Values "app-proxy" "config" "argoCdUsername") (index .Values "global" "external-argo-cd" "auth" "username") "" }} {{- end }} {{- end }} @@ -332,11 +286,11 @@ Determine argocd redis url */}} {{- define "codefresh-gitops-runtime.argocd.redis.url" -}} {{- $argoCDValues := (get .Values "argo-cd") }} -{{- if and (index .Values "argo-cd" "enabled") }} +{{- if (index .Values "argo-cd" "enabled") }} {{- $serviceName := include "codefresh-gitops-runtime.argocd.redis.servicename" . }} {{- $port := include "codefresh-gitops-runtime.argocd.redis.serviceport" . }} {{- printf "%s:%s" $serviceName $port }} -{{- else if and (index .Values "global" "external-argo-cd" "redis") }} +{{- else if (index .Values "global" "external-argo-cd" "redis") }} {{- $redis := (index .Values "global" "external-argo-cd" "redis") }} {{- $svc := required "ArgoCD is not enabled and .Values.global.external-argo-cd.redis.svc is not set" $redis.svc }} {{- $port := required "ArgoCD is not enabled and .Values.global.external-argo-cd.redis.port is not set" $redis.port }} diff --git a/charts/gitops-runtime/templates/app-proxy/config.yaml b/charts/gitops-runtime/templates/app-proxy/config.yaml index 7cbfb544..4da5a020 100644 --- a/charts/gitops-runtime/templates/app-proxy/config.yaml +++ b/charts/gitops-runtime/templates/app-proxy/config.yaml @@ -7,7 +7,11 @@ {{- if not $appProxyContext.Values.config.argoCdUrl }} {{ $_ := set $appProxyContext.Values.config "argoCdUrl" $argoCdUrl }} {{- end }} -{{- $_ := set $appProxyContext.Values.config "argoCdUsername" $argoCdUsername }} +{{- if $argoCdUsername }} + {{- $_ := set $appProxyContext.Values.config "argoCdUsername" $argoCdUsername }} +{{- else }} + {{ $_ := unset $appProxyContext.Values.config "argoCdUsername" }} +{{- end }} {{- if index (get .Values "argo-workflows") "enabled" }} {{- if not $appProxyContext.Values.config.argoWorkflowsUrl }} {{- $argoWorkflowsUrl := include "codefresh-gitops-runtime.argo-workflows.server.url" . }} diff --git a/charts/gitops-runtime/templates/app-proxy/external-argocd-token.yaml b/charts/gitops-runtime/templates/app-proxy/external-argocd-token.yaml index f96892a4..8d1669eb 100644 --- a/charts/gitops-runtime/templates/app-proxy/external-argocd-token.yaml +++ b/charts/gitops-runtime/templates/app-proxy/external-argocd-token.yaml @@ -1,5 +1,5 @@ {{- $externalArgoCDValues := (index .Values "global" "external-argo-cd" "auth") }} -{{- if $externalArgoCDValues.password -}} +{{- if $externalArgoCDValues.password }} --- apiVersion: v1 kind: Secret @@ -12,7 +12,7 @@ stringData: token: {{ $externalArgoCDValues.password }} {{- end }} -{{- if $externalArgoCDValues.token -}} +{{- if $externalArgoCDValues.token }} --- apiVersion: v1 kind: Secret diff --git a/charts/gitops-runtime/templates/gitops-operator/deployment.yaml b/charts/gitops-runtime/templates/gitops-operator/deployment.yaml index 81b56609..1ff4c8ae 100644 --- a/charts/gitops-runtime/templates/gitops-operator/deployment.yaml +++ b/charts/gitops-runtime/templates/gitops-operator/deployment.yaml @@ -6,16 +6,17 @@ {{- $_ := set $context "Values" $vals }} {{- $_ := set $context.Values "global" (deepCopy (get .Values "global")) }} -{{- if and (not (index .Values "argo-cd" "enabled")) }} - {{- if and (eq (index .Values "global" "external-argo-cd" "auth" "type") "token") }} - {{- if not (index $context.Values "global" "external-argo-cd" "auth" "token") }} - {{- $_ := set $context.Values.env "ARGO_CD_TOKEN_SECRET_NAME" (required ".Values.global.external-argo-cd.auth.type is set to 'token' therefore .Values.global.external-argo-cd.auth.tokenSecretKeyRef.name is required" (index $context.Values "global" "external-argo-cd" "auth" "tokenSecretKeyRef" "name")) }} - {{- $_ := set $context.Values.env "ARGO_CD_TOKEN_SECRET_KEY" (required ".Values.global.external-argo-cd.auth.type is set to 'token' therefore .Values.global.external-argo-cd.auth.tokenSecretKeyRef.key is required" (index $context.Values "global" "external-argo-cd" "auth" "tokenSecretKeyRef" "key")) }} - {{- else }} - {{- $_ := set $context.Values.env "ARGO_CD_TOKEN_SECRET_NAME" "gitops-runtime-argo-cd-token" }} - {{- $_ := set $context.Values.env "ARGO_CD_TOKEN_SECRET_KEY" "token" }} - {{- end }} - {{- end }} +{{- $argoCdAuth := (index .Values "global" "external-argo-cd" "auth") }} +{{- if (eq $argoCdAuth.type "token") }} + {{- if $argoCdAuth.token }} + {{- $_ := set $context.Values.env "ARGO_CD_TOKEN_SECRET_NAME" "gitops-runtime-argo-cd-token" }} + {{- $_ := set $context.Values.env "ARGO_CD_TOKEN_SECRET_KEY" "token" }} + {{- else if $argoCdAuth.tokenSecretKeyRef }} + {{- $_ := set $context.Values.env "ARGO_CD_TOKEN_SECRET_NAME" (required ".Values.global.external-argo-cd.auth.type is set to 'token' therefore .Values.global.external-argo-cd.auth.tokenSecretKeyRef.name is required" $argoCdAuth.tokenSecretKeyRef.name) }} + {{- $_ := set $context.Values.env "ARGO_CD_TOKEN_SECRET_KEY" (required ".Values.global.external-argo-cd.auth.type is set to 'token' therefore .Values.global.external-argo-cd.auth.tokenSecretKeyRef.key is required" $argoCdAuth.tokenSecretKeyRef.key) }} + {{- else }} + {{ fail ".Values.global.external-argo-cd.auth.type is 'token' and .Values.global.external-argo-cd.auth.token or .Values.global.external-argo-cd.auth.tokenSecretKeyRef are not set" }} + {{- end }} {{- end }} {{/* Set argo-cd-server service and port */}} @@ -25,22 +26,22 @@ {{/* Set workflows url */}} {{- if index .Values "argo-workflows" "enabled" }} - {{- if not $context.Values.env.ARGO_WF_URL }} - {{- $argoWorkflowsUrl := include "codefresh-gitops-runtime.argo-workflows.server.url" . }} - {{- $_ := set $context.Values.env "ARGO_WF_URL" $argoWorkflowsUrl }} - {{- end }} + {{- if not $context.Values.env.ARGO_WF_URL }} + {{- $argoWorkflowsUrl := include "codefresh-gitops-runtime.argo-workflows.server.url" . }} + {{- $_ := set $context.Values.env "ARGO_WF_URL" $argoWorkflowsUrl }} + {{- end }} {{- end}} {{/* Set certificates */}} {{- if or $context.Values.global.codefresh.tls.caCerts.secret.create $context.Values.global.codefresh.tls.caCerts.secretKeyRef}} - {{- $_ := set $context.Values.global.codefresh.tls.caCerts.secretKeyRef "name" ($context.Values.global.codefresh.tls.caCerts.secret.create | ternary "codefresh-tls-certs" $context.Values.global.codefresh.tls.caCerts.secretKeyRef.name) }} - {{- $_ := set $context.Values.global.codefresh.tls.caCerts.secretKeyRef "key" ($context.Values.global.codefresh.tls.caCerts.secret.create | ternary (default "ca-bundle.crt" $context.Values.global.codefresh.tls.caCerts.secret.key) $context.Values.global.codefresh.tls.caCerts.secretKeyRef.key) }} + {{- $_ := set $context.Values.global.codefresh.tls.caCerts.secretKeyRef "name" ($context.Values.global.codefresh.tls.caCerts.secret.create | ternary "codefresh-tls-certs" $context.Values.global.codefresh.tls.caCerts.secretKeyRef.name) }} + {{- $_ := set $context.Values.global.codefresh.tls.caCerts.secretKeyRef "key" ($context.Values.global.codefresh.tls.caCerts.secret.create | ternary (default "ca-bundle.crt" $context.Values.global.codefresh.tls.caCerts.secret.key) $context.Values.global.codefresh.tls.caCerts.secretKeyRef.key) }} {{- end }} {{- if and (gt (int $context.Values.replicaCount) 1 ) }} -{{- $_ := set $context.Values.env "LEADER_ELECT" "true" }} + {{- $_ := set $context.Values.env "LEADER_ELECT" "true" }} {{- else }} -{{- $_ := set $context.Values.env "LEADER_ELECT" "false" }} + {{- $_ := set $context.Values.env "LEADER_ELECT" "false" }} {{- end }} {{- include "gitops-operator.resources.deployment" $context }} diff --git a/charts/gitops-runtime/tests/external_argocd_test.yaml b/charts/gitops-runtime/tests/external_argocd_test.yaml index a8bee393..72e588d0 100644 --- a/charts/gitops-runtime/tests/external_argocd_test.yaml +++ b/charts/gitops-runtime/tests/external_argocd_test.yaml @@ -19,7 +19,7 @@ tests: path: data.argoCdUrl value: http://my-argocd-server - - it: app-proxy ConfigMap should have valid ArgoCd Username + - it: app-proxy ConfigMap should have valid default ArgoCd Username values: - ./values/mandatory-values-ingress.yaml - ./values/external-argocd-values.yaml @@ -41,19 +41,57 @@ tests: path: data.argoCdUsername value: adminoverride - - it: app-proxy ConfigMap should have isExternalArgoCD key set to true + - it: app-proxy ConfigMap override priority should prefer value from app-proxy.config (for backward compatibility) values: - ./values/mandatory-values-ingress.yaml - ./values/external-argocd-values.yaml template: app-proxy/config.yaml set: - global.external-argo-cd.auth.username: adminoverride + global.external-argo-cd.auth.username: external-adminoverride + app-proxy.config.argoCdUsername: app-proxy-adminoverride + asserts: + - equal: + path: data.argoCdUsername + value: app-proxy-adminoverride + + - it: app-proxy ConfigMap should *not* have username, if auth.type is token + values: + - ./values/mandatory-values-ingress.yaml + - ./values/external-argocd-values.yaml + template: app-proxy/config.yaml + set: + global.external-argo-cd.auth.type: token + global.external-argo-cd.auth.token: some-token + asserts: + - notExists: + path: data.argoCdUsername + + - it: app-proxy ConfigMap should have isExternalArgoCD key set to true + values: + - ./values/mandatory-values-ingress.yaml + - ./values/external-argocd-values.yaml + template: app-proxy/config.yaml asserts: - equal: path: data.isExternalArgoCD value: "true" - - it: app-proxy Deployment should have valid ARGO_CD_PASSWORD env var set via passwordSecretKeyRef + - it: app-proxy Deployment should have valid deafult ARGO_CD_USERNAME env var if auth.type is password + values: + - ./values/mandatory-values-ingress.yaml + - ./values/external-argocd-values.yaml + template: app-proxy/deployment.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ARGO_CD_USERNAME + valueFrom: + secretKeyRef: + key: argoCdUsername + name: cap-app-proxy-cm + + - it: app-proxy Deployment should have valid deafult ARGO_CD_PASSWORD env var set via passwordSecretKeyRef values: - ./values/mandatory-values-ingress.yaml - ./values/external-argocd-values.yaml @@ -68,13 +106,30 @@ tests: key: password name: argocd-initial-admin-secret + - it: app-proxy Deployment should have valid ARGO_CD_PASSWORD env var set via passwordSecretKeyRef override + values: + - ./values/mandatory-values-ingress.yaml + - ./values/external-argocd-values.yaml + template: app-proxy/deployment.yaml + set: + global.external-argo-cd.auth.passwordSecretKeyRef.name: name-override + global.external-argo-cd.auth.passwordSecretKeyRef.key: key-override + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: ARGO_CD_PASSWORD + valueFrom: + secretKeyRef: + key: key-override + name: name-override + - it: app-proxy Deploymeny should have valid ARGO_CD_PASSWORD env var set via plaintext password values: - ./values/mandatory-values-ingress.yaml - ./values/external-argocd-values.yaml template: app-proxy/deployment.yaml set: - global.external-argo-cd.auth.passwordSecretKeyRef: [] global.external-argo-cd.auth.password: token asserts: - contains: @@ -86,29 +141,56 @@ tests: key: token name: gitops-runtime-argo-cd-password - - it: app-proxy Deployment should have valid ARGO_CD_USERNAME env var set via plaintext username + - it: app-proxy Deployment should *not* have ARGO_CD_TOKEN env var if auth.type is password + values: + - ./values/mandatory-values-ingress.yaml + - ./values/external-argocd-values.yaml + template: app-proxy/deployment.yaml + asserts: + - notContains: + any: true + path: spec.template.spec.containers[0].env + content: + name: ARGO_CD_TOKEN + + - it: app-proxy Deployment should *not* have ARGO_CD_USERNAME env var if auth.type is token values: - ./values/mandatory-values-ingress.yaml - ./values/external-argocd-values.yaml template: app-proxy/deployment.yaml set: - global.external-argo-cd.auth.username: adminoverride + global.external-argo-cd.auth.type: token + global.external-argo-cd.auth.token: plaintexttoken asserts: - - contains: + - notContains: + any: true path: spec.template.spec.containers[0].env content: name: ARGO_CD_USERNAME - value: adminoverride - - it: app-proxy Deployment should have valid ARGO_CD_TOKEN env var set via tokenSecretKeyRef + - it: app-proxy Deployment should *not* have ARGO_CD_PASSWORD env var if auth.type is token values: - ./values/mandatory-values-ingress.yaml - ./values/external-argocd-values.yaml template: app-proxy/deployment.yaml set: global.external-argo-cd.auth.type: token - global.external-argo-cd.auth.tokenSecretKeyRef.name: my-argocd-secret - global.external-argo-cd.auth.tokenSecretKeyRef.key: my-token + global.external-argo-cd.auth.token: plaintexttoken + asserts: + - notContains: + any: true + path: spec.template.spec.containers[0].env + content: + name: ARGO_CD_PASSWORD + + - it: app-proxy Deployment should have valid ARGO_CD_TOKEN env var set via plaintext token + values: + - ./values/mandatory-values-ingress.yaml + - ./values/external-argocd-values.yaml + template: app-proxy/deployment.yaml + set: + global.external-argo-cd.auth.type: token + global.external-argo-cd.auth.token: plaintexttoken asserts: - contains: path: spec.template.spec.containers[0].env @@ -116,17 +198,18 @@ tests: name: ARGO_CD_TOKEN valueFrom: secretKeyRef: - key: my-token - name: my-argocd-secret + key: token + name: gitops-runtime-argo-cd-token - - it: app-proxy Deployment should have valid ARGO_CD_TOKEN env var set via plaintext token + - it: app-proxy Deployment should have valid ARGO_CD_TOKEN env var set via tokenSecretKeyRef values: - ./values/mandatory-values-ingress.yaml - ./values/external-argocd-values.yaml template: app-proxy/deployment.yaml set: global.external-argo-cd.auth.type: token - global.external-argo-cd.auth.token: "plaintexttoken" + global.external-argo-cd.auth.tokenSecretKeyRef.name: my-argocd-secret + global.external-argo-cd.auth.tokenSecretKeyRef.key: my-token asserts: - contains: path: spec.template.spec.containers[0].env @@ -134,8 +217,8 @@ tests: name: ARGO_CD_TOKEN valueFrom: secretKeyRef: - key: token - name: gitops-runtime-argo-cd-token + key: my-token + name: my-argocd-secret - it: gitops-operator Deployment should have valid ARGO_CD_TOKEN_SECRET_NAME env var set via tokenSecretKeyRef values: @@ -477,19 +560,6 @@ tests: name: ARGO_CD_TOKEN_SECRET_KEY value: token - - it: should require ArgoCd password if auth.type=password is set and no password is provided - values: - - ./values/mandatory-values-ingress.yaml - - ./values/external-argocd-values.yaml - template: app-proxy/deployment.yaml - set: - global.external-argo-cd.auth.type: password - global.external-argo-cd.auth.password: null - global.external-argo-cd.auth.passwordSecretKeyRef: [] - asserts: - - failedTemplate: - errorMessage: "ArgoCD is not enabled and .Values.global.external-argo-cd.auth.password or .Values.global.external-argo-cd.auth.passwordSecretKeyRef is not set" - - it: should require ArgoCd redis address if it's not provided template: cf-argocd-extras/sources-server/deployment.yaml values: diff --git a/charts/gitops-runtime/tests/values/external-argocd-values.yaml b/charts/gitops-runtime/tests/values/external-argocd-values.yaml index 5bc63344..db86d10d 100644 --- a/charts/gitops-runtime/tests/values/external-argocd-values.yaml +++ b/charts/gitops-runtime/tests/values/external-argocd-values.yaml @@ -13,20 +13,6 @@ global: repoServer: svc: my-argocd-repo-server port: 8081 - auth: - type: password - - username: "admin" - password: "" - passwordSecretKeyRef: - name: argocd-initial-admin-secret - key: password - - token: "" - tokenSecretKeyRef: - name: "" - key: "" argo-cd: enabled: false - diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index 9d96db10..62a1836c 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -613,8 +613,8 @@ app-proxy: nameOverride: "" fullnameOverride: "cap-app-proxy" config: - # -- ArgoCD user to be used by app-proxy - argoCdUsername: "admin" + # -- deprecated. use `global.external-argo-cd.auth.username` instead + argoCdUsername: "" # -- ArgoCD Url. determined by chart logic. Do not change unless you are certain you need to argoCdUrl: # -- Workflows server url. Determined by chart logic. Do not change unless you are certain you need to diff --git a/scripts/helm-unittests.sh b/scripts/helm-unittests.sh index b33be9f8..2cdcdf29 100755 --- a/scripts/helm-unittests.sh +++ b/scripts/helm-unittests.sh @@ -5,4 +5,4 @@ CHART_DIR="$(cd "$(dirname "$0")/.." && pwd)" echo "$CHART_DIR" echo "Running Helm unittests" -docker run --entrypoint "/bin/sh" -it --rm -v $CHART_DIR/charts:/charts alpine/helm:3.14.4 -c 'helm plugin install https://github.com/helm-unittest/helm-unittest.git --version 0.5.1 && helm unittest /charts/gitops-runtime' +docker run --entrypoint "/bin/sh" -it --rm -v $CHART_DIR/charts:/charts alpine/helm:3.19.0 -c 'helm plugin install https://github.com/helm-unittest/helm-unittest.git --version 1.0.1 && helm unittest /charts/gitops-runtime -f tests/external_argocd_test.yaml' From 4d8dca7a6a81409ffdc75d15bb700aa9a24beb51 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Wed, 1 Oct 2025 14:14:44 +0300 Subject: [PATCH 03/11] removed unused config fields --- .../templates/_components/cap-app-proxy/_config.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml b/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml index 9937ed42..172d4f9f 100644 --- a/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml +++ b/charts/gitops-runtime/templates/_components/cap-app-proxy/_config.yaml @@ -6,7 +6,6 @@ isConfigurationRuntime: {{ .Values.global.runtime.isConfigurationRuntime | quote isExternalArgoCD: {{ .Values.global.runtime.isExternalArgoCD | quote }} runtimeName: {{ required "global.runtime.name is required" .Values.global.runtime.name | quote}} isNamespacedRuntime: {{ .Values.global.runtime.singleNamespace | quote }} -skipGitPermissionValidation: {{ .Values.config.skipGitPermissionValidation | quote }} logLevel: {{ .Values.config.logLevel | quote }} {{- $enrichmentValues := get .Values "image-enrichment" }} {{- if $enrichmentValues.enabled }} @@ -25,7 +24,7 @@ enrichmentJiraEnrichmentImage: {{ printf "%s/%s:%s" $enrichmentValues.config.ima {{- define "cap-app-proxy.resources.configmap" }} {{- $documentedConfigs := (include "cap-app-proxy.resources.configmap-documented-configs" . | fromYaml ) }} -{{- $overrides := omit .Values.config "argoWorkflowsInsecure" "clusterChunkSize" "cors" "singleNamespace" "skipGitPermissionValidation" }} +{{- $overrides := omit .Values.config "argoWorkflowsInsecure" "clusterChunkSize" "cors" }} {{- $mergedConfig := mergeOverwrite $documentedConfigs $overrides }} apiVersion: v1 kind: ConfigMap From bb86a018ff5f6c8b18bba9874c1870222b9600cb Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Wed, 1 Oct 2025 14:39:12 +0300 Subject: [PATCH 04/11] removed accidental commit --- scripts/helm-unittests.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/helm-unittests.sh b/scripts/helm-unittests.sh index 2cdcdf29..e76137f3 100755 --- a/scripts/helm-unittests.sh +++ b/scripts/helm-unittests.sh @@ -5,4 +5,4 @@ CHART_DIR="$(cd "$(dirname "$0")/.." && pwd)" echo "$CHART_DIR" echo "Running Helm unittests" -docker run --entrypoint "/bin/sh" -it --rm -v $CHART_DIR/charts:/charts alpine/helm:3.19.0 -c 'helm plugin install https://github.com/helm-unittest/helm-unittest.git --version 1.0.1 && helm unittest /charts/gitops-runtime -f tests/external_argocd_test.yaml' +docker run --entrypoint "/bin/sh" -it --rm -v $CHART_DIR/charts:/charts alpine/helm:3.19.0 -c 'helm plugin install https://github.com/helm-unittest/helm-unittest.git --version 1.0.1 && helm unittest /charts/gitops-runtime' From 7e874751364bde700f419c70dabedffaf4b944cd Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Sun, 5 Oct 2025 09:52:02 +0300 Subject: [PATCH 05/11] fixed component-tests gitea to not depend on bitnami images --- .../component-tests/setup/values/gitea.values.yaml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/tests/component-tests/setup/values/gitea.values.yaml b/tests/component-tests/setup/values/gitea.values.yaml index 4629621e..51729b97 100644 --- a/tests/component-tests/setup/values/gitea.values.yaml +++ b/tests/component-tests/setup/values/gitea.values.yaml @@ -8,9 +8,15 @@ # These values are used by the Helm install command in the test suite to # ensure a minimal and reliable Gitea setup for testing purposes. # ----------------------------------------------------------------------------- -redis-cluster: - enabled: false postgresql-ha: enabled: false -postgresql: - enabled: true + +valkey-cluster: + enabled: false + +gitea: + config: + database: + DB_TYPE: sqlite3 + HOST: localhost + PORT: 3306 From 080eba2b3dff8948a5edffa6656379a008ea8727 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Sun, 5 Oct 2025 12:42:44 +0300 Subject: [PATCH 06/11] fixed tests --- ...o-projects-templates-integration_test.yaml | 9 +- .../tests/external_argocd_test.yaml | 240 +++++++++++++----- scripts/helm-unittests.sh | 2 +- 3 files changed, 179 insertions(+), 72 deletions(-) diff --git a/charts/gitops-runtime/tests/argo-projects-templates-integration_test.yaml b/charts/gitops-runtime/tests/argo-projects-templates-integration_test.yaml index 7b79c4fc..3f496141 100644 --- a/charts/gitops-runtime/tests/argo-projects-templates-integration_test.yaml +++ b/charts/gitops-runtime/tests/argo-projects-templates-integration_test.yaml @@ -29,12 +29,15 @@ tests: values: - ./values/mandatory-values.yaml set: - argo-cd.fullnameOverride: argo-cd-test - argo-cd.configs.params.server\.insecure: false + argo-cd: + fullnameOverride: argo-cd-testasd + configs: + params: + "server.insecure": false asserts: - equal: path: data.argoCdUrl - value: https://argo-cd-test-server:443 + value: https://argo-cd-testasd-server:443 # ------------------------------------------------------------------------------------------ # Argo Workflows diff --git a/charts/gitops-runtime/tests/external_argocd_test.yaml b/charts/gitops-runtime/tests/external_argocd_test.yaml index 72e588d0..c1eb7c13 100644 --- a/charts/gitops-runtime/tests/external_argocd_test.yaml +++ b/charts/gitops-runtime/tests/external_argocd_test.yaml @@ -35,7 +35,10 @@ tests: - ./values/external-argocd-values.yaml template: app-proxy/config.yaml set: - global.external-argo-cd.auth.username: adminoverride + global: + external-argo-cd: + auth: + username: adminoverride asserts: - equal: path: data.argoCdUsername @@ -47,8 +50,13 @@ tests: - ./values/external-argocd-values.yaml template: app-proxy/config.yaml set: - global.external-argo-cd.auth.username: external-adminoverride - app-proxy.config.argoCdUsername: app-proxy-adminoverride + global: + external-argo-cd: + auth: + username: external-adminoverride + app-proxy: + config: + argoCdUsername: app-proxy-adminoverride asserts: - equal: path: data.argoCdUsername @@ -60,8 +68,11 @@ tests: - ./values/external-argocd-values.yaml template: app-proxy/config.yaml set: - global.external-argo-cd.auth.type: token - global.external-argo-cd.auth.token: some-token + global: + external-argo-cd: + auth: + type: token + token: some-token asserts: - notExists: path: data.argoCdUsername @@ -87,7 +98,7 @@ tests: content: name: ARGO_CD_USERNAME valueFrom: - secretKeyRef: + configMapKeyRef: key: argoCdUsername name: cap-app-proxy-cm @@ -112,8 +123,12 @@ tests: - ./values/external-argocd-values.yaml template: app-proxy/deployment.yaml set: - global.external-argo-cd.auth.passwordSecretKeyRef.name: name-override - global.external-argo-cd.auth.passwordSecretKeyRef.key: key-override + global: + external-argo-cd: + auth: + passwordSecretKeyRef: + name: name-override + key: key-override asserts: - contains: path: spec.template.spec.containers[0].env @@ -130,7 +145,10 @@ tests: - ./values/external-argocd-values.yaml template: app-proxy/deployment.yaml set: - global.external-argo-cd.auth.password: token + global: + external-argo-cd: + auth: + password: token asserts: - contains: path: spec.template.spec.containers[0].env @@ -159,8 +177,11 @@ tests: - ./values/external-argocd-values.yaml template: app-proxy/deployment.yaml set: - global.external-argo-cd.auth.type: token - global.external-argo-cd.auth.token: plaintexttoken + global: + external-argo-cd: + auth: + type: token + token: plaintexttoken asserts: - notContains: any: true @@ -174,8 +195,11 @@ tests: - ./values/external-argocd-values.yaml template: app-proxy/deployment.yaml set: - global.external-argo-cd.auth.type: token - global.external-argo-cd.auth.token: plaintexttoken + global: + external-argo-cd: + auth: + type: token + token: plaintexttoken asserts: - notContains: any: true @@ -189,8 +213,11 @@ tests: - ./values/external-argocd-values.yaml template: app-proxy/deployment.yaml set: - global.external-argo-cd.auth.type: token - global.external-argo-cd.auth.token: plaintexttoken + global: + external-argo-cd: + auth: + type: token + token: plaintexttoken asserts: - contains: path: spec.template.spec.containers[0].env @@ -207,9 +234,13 @@ tests: - ./values/external-argocd-values.yaml template: app-proxy/deployment.yaml set: - global.external-argo-cd.auth.type: token - global.external-argo-cd.auth.tokenSecretKeyRef.name: my-argocd-secret - global.external-argo-cd.auth.tokenSecretKeyRef.key: my-token + global: + external-argo-cd: + auth: + type: token + tokenSecretKeyRef: + name: my-argocd-secret + key: my-token asserts: - contains: path: spec.template.spec.containers[0].env @@ -217,8 +248,8 @@ tests: name: ARGO_CD_TOKEN valueFrom: secretKeyRef: - key: my-token name: my-argocd-secret + key: my-token - it: gitops-operator Deployment should have valid ARGO_CD_TOKEN_SECRET_NAME env var set via tokenSecretKeyRef values: @@ -226,15 +257,19 @@ tests: - ./values/external-argocd-values.yaml template: gitops-operator/deployment.yaml set: - global.external-argo-cd.auth.type: token - global.external-argo-cd.auth.tokenSecretKeyRef.name: my-argocd-token-secret - global.external-argo-cd.auth.tokenSecretKeyRef.key: my-token + global: + external-argo-cd: + auth: + type: token + tokenSecretKeyRef: + name: my-argocd-secret + key: my-token asserts: - contains: path: spec.template.spec.containers[0].env content: name: ARGO_CD_TOKEN_SECRET_NAME - value: my-argocd-token-secret + value: my-argocd-secret - it: gitops-operator Deployment should have valid ARGO_CD_TOKEN_SECRET_KEY env var set via tokenSecretKeyRef values: @@ -242,9 +277,13 @@ tests: - ./values/external-argocd-values.yaml template: gitops-operator/deployment.yaml set: - global.external-argo-cd.auth.type: token - global.external-argo-cd.auth.tokenSecretKeyRef.name: my-argocd-token-secret - global.external-argo-cd.auth.tokenSecretKeyRef.key: my-token + global: + external-argo-cd: + auth: + type: token + tokenSecretKeyRef: + name: my-argocd-secret + key: my-token asserts: - contains: path: spec.template.spec.containers[0].env @@ -258,8 +297,11 @@ tests: - ./values/external-argocd-values.yaml template: gitops-operator/deployment.yaml set: - global.external-argo-cd.auth.type: token - global.external-argo-cd.auth.token: "plaintexttoken" + global: + external-argo-cd: + auth: + type: token + token: "plaintexttoken" asserts: - contains: path: spec.template.spec.containers[0].env @@ -273,8 +315,11 @@ tests: - ./values/external-argocd-values.yaml template: gitops-operator/deployment.yaml set: - global.external-argo-cd.auth.type: token - global.external-argo-cd.auth.token: "plaintexttoken" + global: + external-argo-cd: + auth: + type: token + token: "plaintexttoken" asserts: - contains: path: spec.template.spec.containers[0].env @@ -388,15 +433,19 @@ tests: - ./values/mandatory-values-ingress.yaml - ./values/external-argocd-values.yaml set: - global.external-argo-cd.auth.type: token - global.external-argo-cd.auth.tokenSecretKeyRef.name: my-argocd-token-secret - global.external-argo-cd.auth.tokenSecretKeyRef.key: my-token + global: + external-argo-cd: + auth: + type: token + tokenSecretKeyRef: + name: my-argocd-token + key: my-token asserts: - contains: path: spec.template.spec.containers[0].env content: name: ARGO_CD_TOKEN_SECRET_NAME - value: my-argocd-token-secret + value: my-argocd-token - it: event-reporter StatefulSet should have valid ARGO_CD_TOKEN_SECRET_KEY env var set via tokenSecretKeyRef template: cf-argocd-extras/event-reporter/statefulset.yaml @@ -404,9 +453,13 @@ tests: - ./values/mandatory-values-ingress.yaml - ./values/external-argocd-values.yaml set: - global.external-argo-cd.auth.type: token - global.external-argo-cd.auth.tokenSecretKeyRef.name: my-argocd-token-secret - global.external-argo-cd.auth.tokenSecretKeyRef.key: my-token + global: + external-argo-cd: + auth: + type: token + tokenSecretKeyRef: + name: my-argocd-token + key: my-token asserts: - contains: path: spec.template.spec.containers[0].env @@ -420,8 +473,11 @@ tests: - ./values/mandatory-values-ingress.yaml - ./values/external-argocd-values.yaml set: - global.external-argo-cd.auth.type: token - global.external-argo-cd.auth.token: "plaintexttoken" + global: + external-argo-cd: + auth: + type: token + token: "plaintexttoken" asserts: - contains: path: spec.template.spec.containers[0].env @@ -435,8 +491,11 @@ tests: - ./values/mandatory-values-ingress.yaml - ./values/external-argocd-values.yaml set: - global.external-argo-cd.auth.type: token - global.external-argo-cd.auth.token: "plaintexttoken" + global: + external-argo-cd: + auth: + type: token + token: "plaintexttoken" asserts: - contains: path: spec.template.spec.containers[0].env @@ -504,15 +563,19 @@ tests: - ./values/mandatory-values-ingress.yaml - ./values/external-argocd-values.yaml set: - global.external-argo-cd.auth.type: token - global.external-argo-cd.auth.tokenSecretKeyRef.name: my-argocd-token-secret - global.external-argo-cd.auth.tokenSecretKeyRef.key: my-token + global: + external-argo-cd: + auth: + type: token + tokenSecretKeyRef: + name: my-argocd-token + key: my-token asserts: - contains: path: spec.template.spec.containers[0].env content: name: ARGO_CD_TOKEN_SECRET_NAME - value: my-argocd-token-secret + value: my-argocd-token - it: sources-server Deployment should have valid ARGO_CD_TOKEN_SECRET_KEY env var set via tokenSecretKeyRef template: cf-argocd-extras/sources-server/deployment.yaml @@ -520,9 +583,13 @@ tests: - ./values/mandatory-values-ingress.yaml - ./values/external-argocd-values.yaml set: - global.external-argo-cd.auth.type: token - global.external-argo-cd.auth.tokenSecretKeyRef.name: my-argocd-token-secret - global.external-argo-cd.auth.tokenSecretKeyRef.key: my-token + global: + external-argo-cd: + auth: + type: token + tokenSecretKeyRef: + name: my-argocd-token + key: my-token asserts: - contains: path: spec.template.spec.containers[0].env @@ -536,8 +603,11 @@ tests: - ./values/mandatory-values-ingress.yaml - ./values/external-argocd-values.yaml set: - global.external-argo-cd.auth.type: token - global.external-argo-cd.auth.token: "plaintexttoken" + global: + external-argo-cd: + auth: + type: token + token: "plaintexttoken" asserts: - contains: path: spec.template.spec.containers[0].env @@ -551,8 +621,11 @@ tests: - ./values/mandatory-values-ingress.yaml - ./values/external-argocd-values.yaml set: - global.external-argo-cd.auth.type: token - global.external-argo-cd.auth.token: "plaintexttoken" + global: + external-argo-cd: + auth: + type: token + token: "plaintexttoken" asserts: - contains: path: spec.template.spec.containers[0].env @@ -566,7 +639,9 @@ tests: - ./values/mandatory-values-ingress.yaml - ./values/external-argocd-values.yaml set: - global.external-argo-cd.redis: null + global: + external-argo-cd: + redis: null asserts: - failedTemplate: errorMessage: "ArgoCD is not enabled and .Values.global.external-argo-cd.redis is not set" @@ -577,7 +652,9 @@ tests: - ./values/mandatory-values-ingress.yaml - ./values/external-argocd-values.yaml set: - global.external-argo-cd.repoServer: null + global: + external-argo-cd: + repoServer: null asserts: - failedTemplate: errorMessage: "ArgoCD is not enabled and .Values.global.external-argo-cd.repoServer is not set" @@ -588,7 +665,10 @@ tests: - ./values/external-argocd-values.yaml template: app-proxy/deployment.yaml set: - global.external-argo-cd.auth.type: invalid + global: + external-argo-cd: + auth: + type: invalid asserts: - failedTemplate: errorMessage: "Invalid value for .Values.global.external-argo-cd.auth.type: invalid. Allowed values are: [password token]" @@ -599,7 +679,10 @@ tests: - ./values/mandatory-values-ingress.yaml - ./values/external-argocd-values.yaml set: - global.external-argo-cd.server.rootpath: /argocd + global: + external-argo-cd: + server: + rootpath: /argocd asserts: - contains: path: spec.template.spec.containers[0].env @@ -613,7 +696,10 @@ tests: - ./values/mandatory-values-ingress.yaml - ./values/external-argocd-values.yaml set: - global.external-argo-cd.server.rootpath: /argocd + global: + external-argo-cd: + server: + rootpath: /argocd asserts: - contains: path: spec.template.spec.containers[0].env @@ -627,7 +713,10 @@ tests: - ./values/external-argocd-values.yaml template: app-proxy/config.yaml set: - global.external-argo-cd.server.rootpath: /argocd + global: + external-argo-cd: + server: + rootpath: /argocd asserts: - equal: path: data.argoCdUrl @@ -639,7 +728,10 @@ tests: - ./values/mandatory-values-ingress.yaml - ./values/external-argocd-values.yaml set: - global.external-argo-cd.server.rootpath: /argocd + global: + external-argo-cd: + server: + rootpath: /argocd asserts: - contains: path: spec.template.spec.containers[0].env @@ -653,8 +745,11 @@ tests: - ./values/mandatory-values-ingress.yaml - ./values/external-argocd-values.yaml set: - global.external-argo-cd.auth.type: token - global.external-argo-cd.auth.token: mytoken + global: + external-argo-cd: + auth: + type: token + token: mytoken asserts: - isKind: of: Secret @@ -670,8 +765,11 @@ tests: - ./values/mandatory-values-ingress.yaml - ./values/external-argocd-values.yaml set: - global.external-argo-cd.auth.type: password - global.external-argo-cd.auth.password: mypassword + global: + external-argo-cd: + auth: + type: password + password: mypassword asserts: - isKind: of: Secret @@ -700,10 +798,14 @@ tests: - ./values/mandatory-values-ingress.yaml - ./values/external-argocd-values.yaml set: - global.external-argo-cd.auth.type: token - global.external-argo-cd.auth.token: null - global.external-argo-cd.auth.tokenSecretKeyRef.name: null - global.external-argo-cd.auth.tokenSecretKeyRef.key: null + global: + external-argo-cd: + auth: + type: token + token: null + tokenSecretKeyRef: + name: null + key: null asserts: - failedTemplate: errorMessage: ".Values.global.external-argo-cd.auth.type is set to 'token' therefore .Values.global.external-argo-cd.auth.tokenSecretKeyRef.name is required" @@ -714,7 +816,9 @@ tests: - ./values/mandatory-values-ingress.yaml - ./values/external-argocd-values.yaml set: - global.external-argo-cd.server: null + global: + external-argo-cd: + server: null asserts: - failedTemplate: errorMessage: "ArgoCD is not enabled and .Values.global.external-argo-cd.server is not set" diff --git a/scripts/helm-unittests.sh b/scripts/helm-unittests.sh index e76137f3..e8c30d09 100755 --- a/scripts/helm-unittests.sh +++ b/scripts/helm-unittests.sh @@ -5,4 +5,4 @@ CHART_DIR="$(cd "$(dirname "$0")/.." && pwd)" echo "$CHART_DIR" echo "Running Helm unittests" -docker run --entrypoint "/bin/sh" -it --rm -v $CHART_DIR/charts:/charts alpine/helm:3.19.0 -c 'helm plugin install https://github.com/helm-unittest/helm-unittest.git --version 1.0.1 && helm unittest /charts/gitops-runtime' +docker run --entrypoint "/bin/sh" -it --rm -v $CHART_DIR/charts:/charts alpine/helm:3.19.0 -c 'helm plugin install https://github.com/helm-unittest/helm-unittest.git --version 1.0.2 && helm unittest /charts/gitops-runtime' From 099114547714eddb5e382cc618f6e0842b6d15b8 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Sun, 5 Oct 2025 13:51:07 +0300 Subject: [PATCH 07/11] move global.external-argo-cd.auth into global.integrations.argo-cd.server.auth --- .../event-reporter/_statefulset.yaml | 8 +- .../sources-server/_deployment.yaml | 8 +- charts/gitops-runtime/templates/_helpers.tpl | 28 +- .../app-proxy/external-argocd-token.yaml | 10 +- .../templates/gitops-operator/deployment.yaml | 8 +- .../tests/external_argocd_test.yaml | 282 +++++++++++------- charts/gitops-runtime/values.yaml | 50 ++-- 7 files changed, 224 insertions(+), 170 deletions(-) diff --git a/charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_statefulset.yaml b/charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_statefulset.yaml index 3d2d2031..b3f73aa4 100644 --- a/charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_statefulset.yaml +++ b/charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_statefulset.yaml @@ -15,16 +15,16 @@ {{- $_ := set $context.Values.container.env.REDIS_PASSWORD.valueFrom.secretKeyRef "key" (default "redis-password" $vals.externalRedis.existingSecretKeyRef.key) }} {{- end }} -{{- $argoCdAuth := (index .Values "global" "external-argo-cd" "auth") }} +{{- $argoCdAuth := (index .Values "global" "integrations" "argo-cd" "server" "auth") }} {{- if (eq $argoCdAuth.type "token") }} {{- if $argoCdAuth.token }} {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_NAME" "gitops-runtime-argo-cd-token" }} {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_KEY" "token" }} {{- else if $argoCdAuth.tokenSecretKeyRef }} - {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_NAME" (required ".Values.global.external-argo-cd.auth.type is set to 'token' therefore .Values.global.external-argo-cd.auth.tokenSecretKeyRef.name is required" $argoCdAuth.tokenSecretKeyRef.name) }} - {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_KEY" (required ".Values.global.external-argo-cd.auth.type is set to 'token' therefore .Values.global.external-argo-cd.auth.tokenSecretKeyRef.key is required" $argoCdAuth.tokenSecretKeyRef.key) }} + {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_NAME" (required ".Values.global.integrations.argo-cd.auth.type is set to 'token' therefore .Values.global.integrations.argo-cd.auth.tokenSecretKeyRef.name is required" $argoCdAuth.tokenSecretKeyRef.name) }} + {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_KEY" (required ".Values.global.integrations.argo-cd.auth.type is set to 'token' therefore .Values.global.integrations.argo-cd.auth.tokenSecretKeyRef.key is required" $argoCdAuth.tokenSecretKeyRef.key) }} {{- else }} - {{ fail ".Values.global.external-argo-cd.auth.type is 'token' and .Values.global.external-argo-cd.auth.token or .Values.global.external-argo-cd.auth.tokenSecretKeyRef are not set" }} + {{ fail ".Values.global.integrations.argo-cd.auth.type is 'token' and .Values.global.integrations.argo-cd.auth.token or .Values.global.integrations.argo-cd.auth.tokenSecretKeyRef are not set" }} {{- end }} {{- end }} diff --git a/charts/gitops-runtime/templates/_components/cf-argocd-extras/sources-server/_deployment.yaml b/charts/gitops-runtime/templates/_components/cf-argocd-extras/sources-server/_deployment.yaml index 16a38003..90f38adc 100644 --- a/charts/gitops-runtime/templates/_components/cf-argocd-extras/sources-server/_deployment.yaml +++ b/charts/gitops-runtime/templates/_components/cf-argocd-extras/sources-server/_deployment.yaml @@ -15,16 +15,16 @@ {{- $_ := set $context.Values.container.env.REDIS_PASSWORD.valueFrom.secretKeyRef "key" (default "redis-password" $vals.externalRedis.existingSecretKeyRef.key) }} {{- end }} -{{- $argoCdAuth := (index .Values "global" "external-argo-cd" "auth") }} +{{- $argoCdAuth := (index .Values "global" "integrations" "argo-cd" "server" "auth") }} {{- if (eq $argoCdAuth.type "token") }} {{- if $argoCdAuth.token }} {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_NAME" "gitops-runtime-argo-cd-token" }} {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_KEY" "token" }} {{- else if $argoCdAuth.tokenSecretKeyRef }} - {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_NAME" (required ".Values.global.external-argo-cd.auth.type is set to 'token' therefore .Values.global.external-argo-cd.auth.tokenSecretKeyRef.name is required" $argoCdAuth.tokenSecretKeyRef.name) }} - {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_KEY" (required ".Values.global.external-argo-cd.auth.type is set to 'token' therefore .Values.global.external-argo-cd.auth.tokenSecretKeyRef.key is required" $argoCdAuth.tokenSecretKeyRef.key) }} + {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_NAME" (required ".Values.global.integrations.argo-cd.auth.type is set to 'token' therefore .Values.global.integrations.argo-cd.auth.tokenSecretKeyRef.name is required" $argoCdAuth.tokenSecretKeyRef.name) }} + {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_KEY" (required ".Values.global.integrations.argo-cd.auth.type is set to 'token' therefore .Values.global.integrations.argo-cd.auth.tokenSecretKeyRef.key is required" $argoCdAuth.tokenSecretKeyRef.key) }} {{- else }} - {{ fail ".Values.global.external-argo-cd.auth.type is 'token' and .Values.global.external-argo-cd.auth.token or .Values.global.external-argo-cd.auth.tokenSecretKeyRef are not set" }} + {{ fail ".Values.global.integrations.argo-cd.auth.type is 'token' and .Values.global.integrations.argo-cd.auth.token or .Values.global.integrations.argo-cd.auth.tokenSecretKeyRef are not set" }} {{- end }} {{- end }} diff --git a/charts/gitops-runtime/templates/_helpers.tpl b/charts/gitops-runtime/templates/_helpers.tpl index 01b59c26..dedf5040 100644 --- a/charts/gitops-runtime/templates/_helpers.tpl +++ b/charts/gitops-runtime/templates/_helpers.tpl @@ -236,8 +236,8 @@ Determine argocd server url witout the protocol. Must be called with chart root {{- end}} {{- define "codefresh-gitops-runtime.argocd-auth" -}} - {{- $authValues := (index .Values "global" "external-argo-cd" "auth") }} - {{- if (eq $authValues.type "password") }} + {{- $argoCdAuth := (index .Values "global" "integrations" "argo-cd" "server" "auth") }} + {{- if (eq $argoCdAuth.type "password") }} ARGO_CD_USERNAME: valueFrom: configMapKeyRef: @@ -246,28 +246,28 @@ ARGO_CD_USERNAME: ARGO_CD_PASSWORD: valueFrom: secretKeyRef: - {{- if $authValues.password }} + {{- if $argoCdAuth.password }} name: gitops-runtime-argo-cd-password key: token - {{- else if $authValues.passwordSecretKeyRef }} - {{- $authValues.passwordSecretKeyRef | toYaml | nindent 6 }} + {{- else if $argoCdAuth.passwordSecretKeyRef }} + {{- $argoCdAuth.passwordSecretKeyRef | toYaml | nindent 6 }} {{- end }} - {{- else if (eq $authValues.type "token") }} + {{- else if (eq $argoCdAuth.type "token") }} ARGO_CD_TOKEN: valueFrom: secretKeyRef: - {{- if $authValues.token }} + {{- if $argoCdAuth.token }} name: gitops-runtime-argo-cd-token key: token - {{- else if $authValues.tokenSecretKeyRef }} - {{- if and (hasKey $authValues.tokenSecretKeyRef "name") (hasKey $authValues.tokenSecretKeyRef "key") }} - {{- $authValues.tokenSecretKeyRef | toYaml | nindent 6 }} + {{- else if $argoCdAuth.tokenSecretKeyRef }} + {{- if and (hasKey $argoCdAuth.tokenSecretKeyRef "name") (hasKey $argoCdAuth.tokenSecretKeyRef "key") }} + {{- $argoCdAuth.tokenSecretKeyRef | toYaml | nindent 6 }} {{- else }} - {{- fail "Both 'name' and 'key' must be set in .Values.global.external-argo-cd.auth.tokenSecretKeyRef" }} + {{- fail "Both 'name' and 'key' must be set in .Values.global.integrations.argo-cd.auth.tokenSecretKeyRef" }} {{- end }} {{- end }} {{- else }} - {{ fail (printf "Invalid value for .Values.global.external-argo-cd.auth.type: %s. Allowed values are: [password token]" $authValues.type) }} + {{ fail (printf "Invalid value for .Values.global.integrations.argo-cd.auth.type: %s. Allowed values are: [password token]" $argoCdAuth.type) }} {{- end }} {{- end }} @@ -275,9 +275,9 @@ ARGO_CD_TOKEN: Determine argocd server username ConfigMap. */}} {{- define "codefresh-gitops-runtime.argocd.server.username-cm" }} - {{- $externalArgoCDValues := (index .Values "global" "external-argo-cd" "auth") }} + {{- $externalArgoCDValues := (index .Values "global" "integrations" "argo-cd" "server" "auth") }} {{- if (eq $externalArgoCDValues.type "password") }} - {{- coalesce (index .Values "app-proxy" "config" "argoCdUsername") (index .Values "global" "external-argo-cd" "auth" "username") "" }} + {{- coalesce (index .Values "app-proxy" "config" "argoCdUsername") (index .Values "global" "integrations" "argo-cd" "server" "auth" "username") "" }} {{- end }} {{- end }} diff --git a/charts/gitops-runtime/templates/app-proxy/external-argocd-token.yaml b/charts/gitops-runtime/templates/app-proxy/external-argocd-token.yaml index 8d1669eb..2b66ae9a 100644 --- a/charts/gitops-runtime/templates/app-proxy/external-argocd-token.yaml +++ b/charts/gitops-runtime/templates/app-proxy/external-argocd-token.yaml @@ -1,5 +1,5 @@ -{{- $externalArgoCDValues := (index .Values "global" "external-argo-cd" "auth") }} -{{- if $externalArgoCDValues.password }} +{{- $argoCdAuth := (index .Values "global" "integrations" "argo-cd" "server" "auth") }} +{{- if $argoCdAuth.password }} --- apiVersion: v1 kind: Secret @@ -9,10 +9,10 @@ metadata: {{- include "codefresh-gitops-runtime.labels" . | nindent 4 }} type: Opaque stringData: - token: {{ $externalArgoCDValues.password }} + token: {{ $argoCdAuth.password }} {{- end }} -{{- if $externalArgoCDValues.token }} +{{- if $argoCdAuth.token }} --- apiVersion: v1 kind: Secret @@ -22,5 +22,5 @@ metadata: {{- include "codefresh-gitops-runtime.labels" . | nindent 4 }} type: Opaque stringData: - token: {{ $externalArgoCDValues.token }} + token: {{ $argoCdAuth.token }} {{- end }} diff --git a/charts/gitops-runtime/templates/gitops-operator/deployment.yaml b/charts/gitops-runtime/templates/gitops-operator/deployment.yaml index 1ff4c8ae..48eb6243 100644 --- a/charts/gitops-runtime/templates/gitops-operator/deployment.yaml +++ b/charts/gitops-runtime/templates/gitops-operator/deployment.yaml @@ -6,16 +6,16 @@ {{- $_ := set $context "Values" $vals }} {{- $_ := set $context.Values "global" (deepCopy (get .Values "global")) }} -{{- $argoCdAuth := (index .Values "global" "external-argo-cd" "auth") }} +{{- $argoCdAuth := (index .Values "global" "integrations" "argo-cd" "server" "auth") }} {{- if (eq $argoCdAuth.type "token") }} {{- if $argoCdAuth.token }} {{- $_ := set $context.Values.env "ARGO_CD_TOKEN_SECRET_NAME" "gitops-runtime-argo-cd-token" }} {{- $_ := set $context.Values.env "ARGO_CD_TOKEN_SECRET_KEY" "token" }} {{- else if $argoCdAuth.tokenSecretKeyRef }} - {{- $_ := set $context.Values.env "ARGO_CD_TOKEN_SECRET_NAME" (required ".Values.global.external-argo-cd.auth.type is set to 'token' therefore .Values.global.external-argo-cd.auth.tokenSecretKeyRef.name is required" $argoCdAuth.tokenSecretKeyRef.name) }} - {{- $_ := set $context.Values.env "ARGO_CD_TOKEN_SECRET_KEY" (required ".Values.global.external-argo-cd.auth.type is set to 'token' therefore .Values.global.external-argo-cd.auth.tokenSecretKeyRef.key is required" $argoCdAuth.tokenSecretKeyRef.key) }} + {{- $_ := set $context.Values.env "ARGO_CD_TOKEN_SECRET_NAME" (required ".Values.global.integrations.argo-cd.auth.type is set to 'token' therefore .Values.global.integrations.argo-cd.auth.tokenSecretKeyRef.name is required" $argoCdAuth.tokenSecretKeyRef.name) }} + {{- $_ := set $context.Values.env "ARGO_CD_TOKEN_SECRET_KEY" (required ".Values.global.integrations.argo-cd.auth.type is set to 'token' therefore .Values.global.integrations.argo-cd.auth.tokenSecretKeyRef.key is required" $argoCdAuth.tokenSecretKeyRef.key) }} {{- else }} - {{ fail ".Values.global.external-argo-cd.auth.type is 'token' and .Values.global.external-argo-cd.auth.token or .Values.global.external-argo-cd.auth.tokenSecretKeyRef are not set" }} + {{ fail ".Values.global.integrations.argo-cd.auth.type is 'token' and .Values.global.integrations.argo-cd.auth.token or .Values.global.integrations.argo-cd.auth.tokenSecretKeyRef are not set" }} {{- end }} {{- end }} diff --git a/charts/gitops-runtime/tests/external_argocd_test.yaml b/charts/gitops-runtime/tests/external_argocd_test.yaml index c1eb7c13..480b2327 100644 --- a/charts/gitops-runtime/tests/external_argocd_test.yaml +++ b/charts/gitops-runtime/tests/external_argocd_test.yaml @@ -36,9 +36,11 @@ tests: template: app-proxy/config.yaml set: global: - external-argo-cd: - auth: - username: adminoverride + integrations: + argo-cd: + server: + auth: + username: adminoverride asserts: - equal: path: data.argoCdUsername @@ -51,9 +53,11 @@ tests: template: app-proxy/config.yaml set: global: - external-argo-cd: - auth: - username: external-adminoverride + integrations: + argo-cd: + server: + auth: + username: external-adminoverride app-proxy: config: argoCdUsername: app-proxy-adminoverride @@ -69,10 +73,12 @@ tests: template: app-proxy/config.yaml set: global: - external-argo-cd: - auth: - type: token - token: some-token + integrations: + argo-cd: + server: + auth: + type: token + token: some-token asserts: - notExists: path: data.argoCdUsername @@ -124,11 +130,13 @@ tests: template: app-proxy/deployment.yaml set: global: - external-argo-cd: - auth: - passwordSecretKeyRef: - name: name-override - key: key-override + integrations: + argo-cd: + server: + auth: + passwordSecretKeyRef: + name: name-override + key: key-override asserts: - contains: path: spec.template.spec.containers[0].env @@ -146,9 +154,11 @@ tests: template: app-proxy/deployment.yaml set: global: - external-argo-cd: - auth: - password: token + integrations: + argo-cd: + server: + auth: + password: token asserts: - contains: path: spec.template.spec.containers[0].env @@ -178,10 +188,12 @@ tests: template: app-proxy/deployment.yaml set: global: - external-argo-cd: - auth: - type: token - token: plaintexttoken + integrations: + argo-cd: + server: + auth: + type: token + token: plaintexttoken asserts: - notContains: any: true @@ -196,10 +208,12 @@ tests: template: app-proxy/deployment.yaml set: global: - external-argo-cd: - auth: - type: token - token: plaintexttoken + integrations: + argo-cd: + server: + auth: + type: token + token: plaintexttoken asserts: - notContains: any: true @@ -214,10 +228,12 @@ tests: template: app-proxy/deployment.yaml set: global: - external-argo-cd: - auth: - type: token - token: plaintexttoken + integrations: + argo-cd: + server: + auth: + type: token + token: plaintexttoken asserts: - contains: path: spec.template.spec.containers[0].env @@ -235,12 +251,14 @@ tests: template: app-proxy/deployment.yaml set: global: - external-argo-cd: - auth: - type: token - tokenSecretKeyRef: - name: my-argocd-secret - key: my-token + integrations: + argo-cd: + server: + auth: + type: token + tokenSecretKeyRef: + name: my-argocd-secret + key: my-token asserts: - contains: path: spec.template.spec.containers[0].env @@ -258,12 +276,14 @@ tests: template: gitops-operator/deployment.yaml set: global: - external-argo-cd: - auth: - type: token - tokenSecretKeyRef: - name: my-argocd-secret - key: my-token + integrations: + argo-cd: + server: + auth: + type: token + tokenSecretKeyRef: + name: my-argocd-secret + key: my-token asserts: - contains: path: spec.template.spec.containers[0].env @@ -278,12 +298,14 @@ tests: template: gitops-operator/deployment.yaml set: global: - external-argo-cd: - auth: - type: token - tokenSecretKeyRef: - name: my-argocd-secret - key: my-token + integrations: + argo-cd: + server: + auth: + type: token + tokenSecretKeyRef: + name: my-argocd-secret + key: my-token asserts: - contains: path: spec.template.spec.containers[0].env @@ -298,10 +320,12 @@ tests: template: gitops-operator/deployment.yaml set: global: - external-argo-cd: - auth: - type: token - token: "plaintexttoken" + integrations: + argo-cd: + server: + auth: + type: token + token: "plaintexttoken" asserts: - contains: path: spec.template.spec.containers[0].env @@ -316,10 +340,12 @@ tests: template: gitops-operator/deployment.yaml set: global: - external-argo-cd: - auth: - type: token - token: "plaintexttoken" + integrations: + argo-cd: + server: + auth: + type: token + token: "plaintexttoken" asserts: - contains: path: spec.template.spec.containers[0].env @@ -434,12 +460,14 @@ tests: - ./values/external-argocd-values.yaml set: global: - external-argo-cd: - auth: - type: token - tokenSecretKeyRef: - name: my-argocd-token - key: my-token + integrations: + argo-cd: + server: + auth: + type: token + tokenSecretKeyRef: + name: my-argocd-token + key: my-token asserts: - contains: path: spec.template.spec.containers[0].env @@ -454,12 +482,14 @@ tests: - ./values/external-argocd-values.yaml set: global: - external-argo-cd: - auth: - type: token - tokenSecretKeyRef: - name: my-argocd-token - key: my-token + integrations: + argo-cd: + server: + auth: + type: token + tokenSecretKeyRef: + name: my-argocd-token + key: my-token asserts: - contains: path: spec.template.spec.containers[0].env @@ -474,10 +504,12 @@ tests: - ./values/external-argocd-values.yaml set: global: - external-argo-cd: - auth: - type: token - token: "plaintexttoken" + integrations: + argo-cd: + server: + auth: + type: token + token: "plaintexttoken" asserts: - contains: path: spec.template.spec.containers[0].env @@ -492,10 +524,12 @@ tests: - ./values/external-argocd-values.yaml set: global: - external-argo-cd: - auth: - type: token - token: "plaintexttoken" + integrations: + argo-cd: + server: + auth: + type: token + token: "plaintexttoken" asserts: - contains: path: spec.template.spec.containers[0].env @@ -564,12 +598,14 @@ tests: - ./values/external-argocd-values.yaml set: global: - external-argo-cd: - auth: - type: token - tokenSecretKeyRef: - name: my-argocd-token - key: my-token + integrations: + argo-cd: + server: + auth: + type: token + tokenSecretKeyRef: + name: my-argocd-token + key: my-token asserts: - contains: path: spec.template.spec.containers[0].env @@ -584,12 +620,14 @@ tests: - ./values/external-argocd-values.yaml set: global: - external-argo-cd: - auth: - type: token - tokenSecretKeyRef: - name: my-argocd-token - key: my-token + integrations: + argo-cd: + server: + auth: + type: token + tokenSecretKeyRef: + name: my-argocd-token + key: my-token asserts: - contains: path: spec.template.spec.containers[0].env @@ -604,10 +642,12 @@ tests: - ./values/external-argocd-values.yaml set: global: - external-argo-cd: - auth: - type: token - token: "plaintexttoken" + integrations: + argo-cd: + server: + auth: + type: token + token: "plaintexttoken" asserts: - contains: path: spec.template.spec.containers[0].env @@ -622,10 +662,12 @@ tests: - ./values/external-argocd-values.yaml set: global: - external-argo-cd: - auth: - type: token - token: "plaintexttoken" + integrations: + argo-cd: + server: + auth: + type: token + token: "plaintexttoken" asserts: - contains: path: spec.template.spec.containers[0].env @@ -666,12 +708,14 @@ tests: template: app-proxy/deployment.yaml set: global: - external-argo-cd: - auth: - type: invalid + integrations: + argo-cd: + server: + auth: + type: invalid asserts: - failedTemplate: - errorMessage: "Invalid value for .Values.global.external-argo-cd.auth.type: invalid. Allowed values are: [password token]" + errorMessage: "Invalid value for .Values.global.integrations.argo-cd.auth.type: invalid. Allowed values are: [password token]" - it: event-reporter StatefulSet should have valid ARGOCD_SERVER_ROOTPATH env var template: cf-argocd-extras/event-reporter/statefulset.yaml @@ -746,10 +790,12 @@ tests: - ./values/external-argocd-values.yaml set: global: - external-argo-cd: - auth: - type: token - token: mytoken + integrations: + argo-cd: + server: + auth: + type: token + token: mytoken asserts: - isKind: of: Secret @@ -766,10 +812,12 @@ tests: - ./values/external-argocd-values.yaml set: global: - external-argo-cd: - auth: - type: password - password: mypassword + integrations: + argo-cd: + server: + auth: + type: password + password: mypassword asserts: - isKind: of: Secret @@ -799,16 +847,18 @@ tests: - ./values/external-argocd-values.yaml set: global: - external-argo-cd: - auth: - type: token - token: null - tokenSecretKeyRef: - name: null - key: null + integrations: + argo-cd: + server: + auth: + type: token + token: null + tokenSecretKeyRef: + name: null + key: null asserts: - failedTemplate: - errorMessage: ".Values.global.external-argo-cd.auth.type is set to 'token' therefore .Values.global.external-argo-cd.auth.tokenSecretKeyRef.name is required" + errorMessage: ".Values.global.integrations.argo-cd.auth.type is set to 'token' therefore .Values.global.integrations.argo-cd.auth.tokenSecretKeyRef.name is required" - it: should require ArgoCd server address if it's not provided template: cf-argocd-extras/sources-server/deployment.yaml diff --git a/charts/gitops-runtime/values.yaml b/charts/gitops-runtime/values.yaml index 62a1836c..2795a922 100644 --- a/charts/gitops-runtime/values.yaml +++ b/charts/gitops-runtime/values.yaml @@ -131,6 +131,32 @@ global: cpu: 200m memory: 1Gi ephemeral-storage: 2Gi + integrations: + argo-cd: + server: + # -- How GitOps Runtime should authenticate with ArgoCD server + auth: + # -- Authentication type. Can be password or token + type: password + # If `auth.type=password` is set + # -- ArgoCD username in plain text + username: "admin" + # -- ArgoCD password in plain text + password: "" + # -- ArgoCD password referenced by an existing secret + passwordSecretKeyRef: + name: argocd-initial-admin-secret + key: password + # If `auth.type=token` is set + # -- ArgoCD token in plain text + token: "" + # -- ArgoCD token referenced by an existing secret + tokenSecretKeyRef: {} + # e.g: + # tokenSecretKeyRef: + # name: argocd-token + # key: token + # -- Configuration for external ArgoCD # Should be used when `argo-cd.enabled` is set to false external-argo-cd: @@ -154,29 +180,7 @@ global: svc: argocd-repo-server # -- Port of the ArgoCD repo server port: 8081 - # -- ArgoCD username in plain text - # -- How GitOps Runtime should authenticate with ArgoCD - auth: - # -- Authentication type. Can be password or token - type: password - # If `auth.type=password` is set - # -- ArgoCD username in plain text - username: "admin" - # -- ArgoCD password in plain text - password: "" - # -- ArgoCD password referenced by an existing secret - passwordSecretKeyRef: - name: argocd-initial-admin-secret - key: password - # If `auth.type=token` is set - # -- ArgoCD token in plain text - token: "" - # -- ArgoCD token referenced by an existing secret - tokenSecretKeyRef: {} - # e.g: - # tokenSecretKeyRef: - # name: argocd-token - # key: token + # -- Configuration for external Argo Rollouts external-argo-rollouts: # -- Rollout reporter settings From 2ca7c2d76b8d2a2f20b1e3b7e1371a9840c23f4f Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Sun, 5 Oct 2025 17:54:23 +0300 Subject: [PATCH 08/11] added "codefresh-gitops-runtime.argocd-token-auth" simplified event-terpoter/sources-server/gitops-operator argo-cd auth secret name/key injection --- .../cf-argocd-extras/_default-values.tpl | 7 +++--- .../event-reporter/_statefulset.yaml | 13 ---------- .../sources-server/_deployment.yaml | 13 ---------- .../gitops-operator/_deployment.yaml | 3 ++- .../_components/gitops-operator/_env.yaml | 16 ++++++------ charts/gitops-runtime/templates/_helpers.tpl | 25 +++++++++++++++++-- .../templates/gitops-operator/deployment.yaml | 19 -------------- .../tests/external_argocd_test.yaml | 4 +-- 8 files changed, 38 insertions(+), 62 deletions(-) diff --git a/charts/gitops-runtime/templates/_components/cf-argocd-extras/_default-values.tpl b/charts/gitops-runtime/templates/_components/cf-argocd-extras/_default-values.tpl index 37d145e2..02deac9e 100644 --- a/charts/gitops-runtime/templates/_components/cf-argocd-extras/_default-values.tpl +++ b/charts/gitops-runtime/templates/_components/cf-argocd-extras/_default-values.tpl @@ -1,4 +1,5 @@ {{- define "cf-argocd-extras.default-values" }} + {{- $argoCdAuth := (include "codefresh-gitops-runtime.argocd-token-auth" . | fromYaml) }} global: {} externalRedis: @@ -84,8 +85,7 @@ eventReporter: name: argocd-cmd-params-cm key: server.rootpath optional: true - ARGO_CD_TOKEN_SECRET_NAME: argocd-token - ARGO_CD_TOKEN_SECRET_KEY: token +{{ $argoCdAuth | toYaml | indent 6 }} BINARY_NAME: event-reporter CODEFRESH_SSL_CERT_PATH: "" CODEFRESH_TLS_INSECURE: @@ -392,8 +392,7 @@ sourcesServer: configMapKeyRef: name: sources-server-cmd-params-cm key: argocd.server - ARGO_CD_TOKEN_SECRET_NAME: argocd-token - ARGO_CD_TOKEN_SECRET_KEY: token +{{ $argoCdAuth | toYaml | indent 6}} ARGOCD_SERVER_ROOTPATH: valueFrom: configMapKeyRef: diff --git a/charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_statefulset.yaml b/charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_statefulset.yaml index b3f73aa4..6c349787 100644 --- a/charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_statefulset.yaml +++ b/charts/gitops-runtime/templates/_components/cf-argocd-extras/event-reporter/_statefulset.yaml @@ -15,19 +15,6 @@ {{- $_ := set $context.Values.container.env.REDIS_PASSWORD.valueFrom.secretKeyRef "key" (default "redis-password" $vals.externalRedis.existingSecretKeyRef.key) }} {{- end }} -{{- $argoCdAuth := (index .Values "global" "integrations" "argo-cd" "server" "auth") }} -{{- if (eq $argoCdAuth.type "token") }} - {{- if $argoCdAuth.token }} - {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_NAME" "gitops-runtime-argo-cd-token" }} - {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_KEY" "token" }} - {{- else if $argoCdAuth.tokenSecretKeyRef }} - {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_NAME" (required ".Values.global.integrations.argo-cd.auth.type is set to 'token' therefore .Values.global.integrations.argo-cd.auth.tokenSecretKeyRef.name is required" $argoCdAuth.tokenSecretKeyRef.name) }} - {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_KEY" (required ".Values.global.integrations.argo-cd.auth.type is set to 'token' therefore .Values.global.integrations.argo-cd.auth.tokenSecretKeyRef.key is required" $argoCdAuth.tokenSecretKeyRef.key) }} - {{- else }} - {{ fail ".Values.global.integrations.argo-cd.auth.type is 'token' and .Values.global.integrations.argo-cd.auth.token or .Values.global.integrations.argo-cd.auth.tokenSecretKeyRef are not set" }} - {{- end }} -{{- end }} - {{- if and (index $context.Values "global" "external-argo-cd" "server" "rootpath") }} {{- $_ := set $context.Values.container.env "ARGOCD_SERVER_ROOTPATH" (index $context.Values "global" "external-argo-cd" "server" "rootpath") }} {{- end }} diff --git a/charts/gitops-runtime/templates/_components/cf-argocd-extras/sources-server/_deployment.yaml b/charts/gitops-runtime/templates/_components/cf-argocd-extras/sources-server/_deployment.yaml index 90f38adc..e32cb923 100644 --- a/charts/gitops-runtime/templates/_components/cf-argocd-extras/sources-server/_deployment.yaml +++ b/charts/gitops-runtime/templates/_components/cf-argocd-extras/sources-server/_deployment.yaml @@ -15,19 +15,6 @@ {{- $_ := set $context.Values.container.env.REDIS_PASSWORD.valueFrom.secretKeyRef "key" (default "redis-password" $vals.externalRedis.existingSecretKeyRef.key) }} {{- end }} -{{- $argoCdAuth := (index .Values "global" "integrations" "argo-cd" "server" "auth") }} -{{- if (eq $argoCdAuth.type "token") }} - {{- if $argoCdAuth.token }} - {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_NAME" "gitops-runtime-argo-cd-token" }} - {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_KEY" "token" }} - {{- else if $argoCdAuth.tokenSecretKeyRef }} - {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_NAME" (required ".Values.global.integrations.argo-cd.auth.type is set to 'token' therefore .Values.global.integrations.argo-cd.auth.tokenSecretKeyRef.name is required" $argoCdAuth.tokenSecretKeyRef.name) }} - {{- $_ := set $context.Values.container.env "ARGO_CD_TOKEN_SECRET_KEY" (required ".Values.global.integrations.argo-cd.auth.type is set to 'token' therefore .Values.global.integrations.argo-cd.auth.tokenSecretKeyRef.key is required" $argoCdAuth.tokenSecretKeyRef.key) }} - {{- else }} - {{ fail ".Values.global.integrations.argo-cd.auth.type is 'token' and .Values.global.integrations.argo-cd.auth.token or .Values.global.integrations.argo-cd.auth.tokenSecretKeyRef are not set" }} - {{- end }} -{{- end }} - {{- if and (index $context.Values "global" "external-argo-cd" "server" "rootpath") }} {{- $_ := set $context.Values.container.env "ARGOCD_SERVER_ROOTPATH" (index $context.Values "global" "external-argo-cd" "server" "rootpath") }} {{- end }} diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/_deployment.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/_deployment.yaml index 1240797d..4a813115 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/_deployment.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/_deployment.yaml @@ -3,8 +3,9 @@ {{/* Merge environment variables from calculated, defaults and overwrites */}} {{- $defaults := (include "gitops-operator.resources.environment-variables.defaults" . | fromYaml) }} {{- $calculated := (include "gitops-operator.resources.environment-variables.calculated" . | fromYaml) }} +{{- $argoCdAuth := (include "codefresh-gitops-runtime.argocd-token-auth" . | fromYaml) }} {{- $overrides := .Values.env }} -{{- $mergedValues := mergeOverwrite $defaults $calculated $overrides }} +{{- $mergedValues := mergeOverwrite $defaults $calculated $argoCdAuth $overrides }} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml index f2e10f74..67ea8281 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml @@ -8,28 +8,28 @@ to keep the separation of components as pseudo library charts, they are defined CF_CA_CERT: {{ printf "/app/config/codefresh-tls/%s" .Values.global.codefresh.tls.caCerts.secretKeyRef.key }} {{- end }} CF_URL: {{ .Values.global.codefresh.url }} +COMMIT_STATUS_POLLING_INTERVAL: {{ .Values.config.commitStatusPollingInterval }} GITOPS_OPERATOR_VERSION: {{ .Values.image.tag }} + {{- if (gt (int .Values.replicaCount) 1 ) }} +LEADER_ELECT: true + {{- else }} +LEADER_ELECT: false + {{- end }} +MAX_CONCURRENT_RELEASES: {{ .Values.config.maxConcurrentReleases }} +PROMOTION_WRAPPER_TEMPLATE: {{ .Values.config.promotionWrapperTemplate | quote }} RUNTIME: {{ .Values.global.runtime.name }} TASK_POLLING_INTERVAL: {{ .Values.config.taskPollingInterval }} -COMMIT_STATUS_POLLING_INTERVAL: {{ .Values.config.commitStatusPollingInterval }} WORKFLOW_MONITOR_POLLING_INTERVAL: {{ .Values.config.workflowMonitorPollingInterval }} -MAX_CONCURRENT_RELEASES: {{ .Values.config.maxConcurrentReleases }} -PROMOTION_WRAPPER_TEMPLATE: {{ .Values.config.promotionWrapperTemplate | quote }} {{- end }} {{- define "gitops-operator.resources.environment-variables.defaults" -}} AP_URL: http://cap-app-proxy:3017 -ARGO_CD_URL: argo-cd-server:80 -ARGO_CD_TOKEN_SECRET_NAME: argocd-token -ARGO_CD_TOKEN_SECRET_KEY: token -ARGO_WF_URL: http://argo-server:2746 CF_TOKEN: valueFrom: secretKeyRef: name: codefresh-token key: token HEALTH_PROBE_BIND_ADDRESS: :8081 -LEADER_ELECT: true METRICS_BIND_ADDRESS: :8080 METRICS_SECURE: false NAMESPACE: diff --git a/charts/gitops-runtime/templates/_helpers.tpl b/charts/gitops-runtime/templates/_helpers.tpl index dedf5040..ccf704a2 100644 --- a/charts/gitops-runtime/templates/_helpers.tpl +++ b/charts/gitops-runtime/templates/_helpers.tpl @@ -263,11 +263,32 @@ ARGO_CD_TOKEN: {{- if and (hasKey $argoCdAuth.tokenSecretKeyRef "name") (hasKey $argoCdAuth.tokenSecretKeyRef "key") }} {{- $argoCdAuth.tokenSecretKeyRef | toYaml | nindent 6 }} {{- else }} - {{- fail "Both 'name' and 'key' must be set in .Values.global.integrations.argo-cd.auth.tokenSecretKeyRef" }} + {{- fail "Both 'name' and 'key' must be set in .Values.global.integrations.argo-cd.server.auth.tokenSecretKeyRef" }} {{- end }} {{- end }} {{- else }} - {{ fail (printf "Invalid value for .Values.global.integrations.argo-cd.auth.type: %s. Allowed values are: [password token]" $argoCdAuth.type) }} + {{ fail (printf "Invalid value for .Values.global.integrations.argo-cd.server.auth.type: %s. Allowed values are: [password token]" $argoCdAuth.type) }} + {{- end }} +{{- end }} + +{{/* +Used by gitops-operator, event-reporter and sources-server to use the correct secret name/key for argo-cd token +*/}} +{{- define "codefresh-gitops-runtime.argocd-token-auth" }} + {{- $argoCdAuth := (index .Values "global" "integrations" "argo-cd" "server" "auth") }} + {{- if (eq $argoCdAuth.type "password") }} +ARGO_CD_TOKEN_SECRET_NAME: argocd-token +ARGO_CD_TOKEN_SECRET_KEY: token + {{- else if (eq $argoCdAuth.type "token") }} + {{- if $argoCdAuth.token }} +ARGO_CD_TOKEN_SECRET_NAME: gitops-runtime-argo-cd-token +ARGO_CD_TOKEN_SECRET_KEY: token + {{- else if $argoCdAuth.tokenSecretKeyRef }} +ARGO_CD_TOKEN_SECRET_NAME: {{ required ".Values.global.integrations.argo-cd.server.auth.type is set to 'token' therefore .Values.global.integrations.argo-cd.server.auth.tokenSecretKeyRef.name is required" $argoCdAuth.tokenSecretKeyRef.name }} +ARGO_CD_TOKEN_SECRET_KEY: {{ required ".Values.global.integrations.argo-cd.server.auth.type is set to 'token' therefore .Values.global.integrations.argo-cd.server.auth.tokenSecretKeyRef.key is required" $argoCdAuth.tokenSecretKeyRef.key }} + {{- end }} + {{- else }} + {{ fail (printf "Invalid value for .Values.global.integrations.argo-cd.server.auth.type: %s. Allowed values are: [password token]" $argoCdAuth.type) }} {{- end }} {{- end }} diff --git a/charts/gitops-runtime/templates/gitops-operator/deployment.yaml b/charts/gitops-runtime/templates/gitops-operator/deployment.yaml index 48eb6243..41a1108c 100644 --- a/charts/gitops-runtime/templates/gitops-operator/deployment.yaml +++ b/charts/gitops-runtime/templates/gitops-operator/deployment.yaml @@ -6,19 +6,6 @@ {{- $_ := set $context "Values" $vals }} {{- $_ := set $context.Values "global" (deepCopy (get .Values "global")) }} -{{- $argoCdAuth := (index .Values "global" "integrations" "argo-cd" "server" "auth") }} -{{- if (eq $argoCdAuth.type "token") }} - {{- if $argoCdAuth.token }} - {{- $_ := set $context.Values.env "ARGO_CD_TOKEN_SECRET_NAME" "gitops-runtime-argo-cd-token" }} - {{- $_ := set $context.Values.env "ARGO_CD_TOKEN_SECRET_KEY" "token" }} - {{- else if $argoCdAuth.tokenSecretKeyRef }} - {{- $_ := set $context.Values.env "ARGO_CD_TOKEN_SECRET_NAME" (required ".Values.global.integrations.argo-cd.auth.type is set to 'token' therefore .Values.global.integrations.argo-cd.auth.tokenSecretKeyRef.name is required" $argoCdAuth.tokenSecretKeyRef.name) }} - {{- $_ := set $context.Values.env "ARGO_CD_TOKEN_SECRET_KEY" (required ".Values.global.integrations.argo-cd.auth.type is set to 'token' therefore .Values.global.integrations.argo-cd.auth.tokenSecretKeyRef.key is required" $argoCdAuth.tokenSecretKeyRef.key) }} - {{- else }} - {{ fail ".Values.global.integrations.argo-cd.auth.type is 'token' and .Values.global.integrations.argo-cd.auth.token or .Values.global.integrations.argo-cd.auth.tokenSecretKeyRef are not set" }} - {{- end }} -{{- end }} - {{/* Set argo-cd-server service and port */}} {{ if not (index $context.Values "env" "ARGO_CD_URL") }} {{- $_ := set $context.Values.env "ARGO_CD_URL" (include "codefresh-gitops-runtime.argocd.server.no-protocol-url" . ) }} @@ -38,10 +25,4 @@ {{- $_ := set $context.Values.global.codefresh.tls.caCerts.secretKeyRef "key" ($context.Values.global.codefresh.tls.caCerts.secret.create | ternary (default "ca-bundle.crt" $context.Values.global.codefresh.tls.caCerts.secret.key) $context.Values.global.codefresh.tls.caCerts.secretKeyRef.key) }} {{- end }} -{{- if and (gt (int $context.Values.replicaCount) 1 ) }} - {{- $_ := set $context.Values.env "LEADER_ELECT" "true" }} -{{- else }} - {{- $_ := set $context.Values.env "LEADER_ELECT" "false" }} -{{- end }} - {{- include "gitops-operator.resources.deployment" $context }} diff --git a/charts/gitops-runtime/tests/external_argocd_test.yaml b/charts/gitops-runtime/tests/external_argocd_test.yaml index 480b2327..4e478510 100644 --- a/charts/gitops-runtime/tests/external_argocd_test.yaml +++ b/charts/gitops-runtime/tests/external_argocd_test.yaml @@ -715,7 +715,7 @@ tests: type: invalid asserts: - failedTemplate: - errorMessage: "Invalid value for .Values.global.integrations.argo-cd.auth.type: invalid. Allowed values are: [password token]" + errorMessage: "Invalid value for .Values.global.integrations.argo-cd.server.auth.type: invalid. Allowed values are: [password token]" - it: event-reporter StatefulSet should have valid ARGOCD_SERVER_ROOTPATH env var template: cf-argocd-extras/event-reporter/statefulset.yaml @@ -858,7 +858,7 @@ tests: key: null asserts: - failedTemplate: - errorMessage: ".Values.global.integrations.argo-cd.auth.type is set to 'token' therefore .Values.global.integrations.argo-cd.auth.tokenSecretKeyRef.name is required" + errorMessage: ".Values.global.integrations.argo-cd.server.auth.type is set to 'token' therefore .Values.global.integrations.argo-cd.server.auth.tokenSecretKeyRef.name is required" - it: should require ArgoCd server address if it's not provided template: cf-argocd-extras/sources-server/deployment.yaml From 7dd5b6594a0c6653f18cb7959d32b6cc9a2d4db6 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Sun, 5 Oct 2025 17:55:53 +0300 Subject: [PATCH 09/11] returned default argocd and argowf urls --- .../templates/_components/gitops-operator/_env.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml index 67ea8281..fbfae123 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml @@ -24,6 +24,8 @@ WORKFLOW_MONITOR_POLLING_INTERVAL: {{ .Values.config.workflowMonitorPollingInter {{- define "gitops-operator.resources.environment-variables.defaults" -}} AP_URL: http://cap-app-proxy:3017 +ARGO_CD_URL: argo-cd-server:80 +ARGO_WF_URL: http://argo-server:2746 CF_TOKEN: valueFrom: secretKeyRef: From a33757a80ccab4bf67730903619889a0d7731186 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 6 Oct 2025 08:22:23 +0300 Subject: [PATCH 10/11] moved "codefresh-gitops-runtime.argocd-token-auth" into "gitops-operator.resources.environment-variables.calculated" --- .../templates/_components/gitops-operator/_deployment.yaml | 3 +-- .../templates/_components/gitops-operator/_env.yaml | 1 + 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/_deployment.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/_deployment.yaml index 4a813115..1240797d 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/_deployment.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/_deployment.yaml @@ -3,9 +3,8 @@ {{/* Merge environment variables from calculated, defaults and overwrites */}} {{- $defaults := (include "gitops-operator.resources.environment-variables.defaults" . | fromYaml) }} {{- $calculated := (include "gitops-operator.resources.environment-variables.calculated" . | fromYaml) }} -{{- $argoCdAuth := (include "codefresh-gitops-runtime.argocd-token-auth" . | fromYaml) }} {{- $overrides := .Values.env }} -{{- $mergedValues := mergeOverwrite $defaults $calculated $argoCdAuth $overrides }} +{{- $mergedValues := mergeOverwrite $defaults $calculated $overrides }} apiVersion: apps/v1 kind: Deployment metadata: diff --git a/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml b/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml index fbfae123..d8548693 100644 --- a/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml +++ b/charts/gitops-runtime/templates/_components/gitops-operator/_env.yaml @@ -3,6 +3,7 @@ Some environment variables are determined by values provided in other components to keep the separation of components as pseudo library charts, they are defined here to be merged when components are generated. */}} {{- define "gitops-operator.resources.environment-variables.calculated" }} + {{- include "codefresh-gitops-runtime.argocd-token-auth" . }} {{/* if custom certificates are provided */}} {{- if .Values.global.codefresh.tls.caCerts.secretKeyRef }} CF_CA_CERT: {{ printf "/app/config/codefresh-tls/%s" .Values.global.codefresh.tls.caCerts.secretKeyRef.key }} From f4f0aca12ea9153ed7de55204740778bd9520772 Mon Sep 17 00:00:00 2001 From: Noam Gal Date: Mon, 6 Oct 2025 09:41:05 +0300 Subject: [PATCH 11/11] fixed tests --- charts/gitops-runtime/tests/external_argocd_test.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/charts/gitops-runtime/tests/external_argocd_test.yaml b/charts/gitops-runtime/tests/external_argocd_test.yaml index 4e478510..02c42c81 100644 --- a/charts/gitops-runtime/tests/external_argocd_test.yaml +++ b/charts/gitops-runtime/tests/external_argocd_test.yaml @@ -705,7 +705,6 @@ tests: values: - ./values/mandatory-values-ingress.yaml - ./values/external-argocd-values.yaml - template: app-proxy/deployment.yaml set: global: integrations: @@ -841,7 +840,6 @@ tests: pattern: "name: sources-server" - it: should require ArgoCd token if auth.type=token is set and no token is provided - template: cf-argocd-extras/sources-server/deployment.yaml values: - ./values/mandatory-values-ingress.yaml - ./values/external-argocd-values.yaml