various fixes (#9)

Author: crenshaw-dev

README.md

@@ -48,21 +48,21 @@ spec:
 
 ### Step 1: Get an Argo CD token
 
-The plugin requires a secret named `argocd-sync-token` with a key called `jwt.txt` containing the Argo CD token. See the [Argo CD documentation](https://argo-cd.readthedocs.io/en/stable/user-guide/projects/#project-roles) for information about generating tokens.
+The plugin requires a secret named `argocd-token` with a key called `token` containing the Argo CD token. See the [Argo CD documentation](https://argo-cd.readthedocs.io/en/stable/user-guide/projects/#project-roles) for information about generating tokens.
 
 ```yaml
 apiVersion: v1
 kind: Secret
 metadata:
-  name: argocd-sync-token
+  name: argocd-token
 stringData:
-  jwt.txt: <token>
+  token: <token>
 ```
 
 After defining the secret, apply it to your cluster:
 
 ```shell
-kubectl apply -f argocd-sync-token.yaml
+kubectl apply -f argocd-token.yaml
 ```
 
 ### Step 2: Install the plugin

cmd/argocd-plugin/main.go

@@ -3,21 +3,27 @@ package main
 import (
 	"fmt"
 	"net/http"
+	"os"
 
 	"github.com/argoproj/argo-cd/v2/pkg/apiclient"
 
 	"github.com/crenshaw-dev/argocd-executor-plugin/internal"
 )
 
 func main() {
+	agentToken, err := os.ReadFile("/var/run/argo/token")
+	if err != nil {
+		panic(err.Error())
+	}
+
 	client, err := apiclient.NewClient(&apiclient.ClientOptions{
 		// TODO: make this configurable by passing a root CA.
 		Insecure: true,
 	})
 	if err != nil {
 		panic(fmt.Sprintf("failed to initialize Argo CD API client: %s", err))
 	}
-	executor := argocd.NewApiExecutor(client)
+	executor := argocd.NewApiExecutor(client, string(agentToken))
 	http.HandleFunc("/api/v1/template.execute", argocd.ArgocdPlugin(&executor))
 	err = http.ListenAndServe(":3000", nil)
 	if err != nil {

internal/argocd_executor.go

@@ -6,6 +6,7 @@ import (
 	"errors"
 	"fmt"
 	"log"
+	"net/http"
 	"strings"
 	"sync"
 	"time"
@@ -26,11 +27,20 @@ import (
 )
 
 type ApiExecutor struct {
-	apiClient apiclient.Client
+	apiClient  apiclient.Client
+	agentToken string
 }
 
-func NewApiExecutor(apiClient apiclient.Client) ApiExecutor {
-	return ApiExecutor{apiClient: apiClient}
+func NewApiExecutor(apiClient apiclient.Client, agentToken string) ApiExecutor {
+	return ApiExecutor{apiClient: apiClient, agentToken: agentToken}
+}
+
+func (e *ApiExecutor) Authorize(req *http.Request) error {
+	auth := req.Header.Get("Authorization")
+	if auth != "Bearer "+e.agentToken {
+		return fmt.Errorf("invalid agent token")
+	}
+	return nil
 }
 
 func (e *ApiExecutor) Execute(args executor.ExecuteTemplateArgs) executor.ExecuteTemplateReply {
@@ -49,7 +59,12 @@ func (e *ApiExecutor) Execute(args executor.ExecuteTemplateArgs) executor.Execut
 		return errorResponse(err)
 	}
 
-	output, err := e.runAction(plugin.ArgoCD)
+	if plugin.ArgoCD == nil {
+		log.Println("unsupported plugin type")
+		return executor.ExecuteTemplateReply{} // unsupported plugin
+	}
+
+	output, err := e.runAction(*plugin.ArgoCD)
 	if err != nil {
 		return failedResponse(wfv1.Progress(fmt.Sprintf("0/1")), fmt.Errorf("action failed: %w", err))
 	}
@@ -93,11 +108,13 @@ func (e *ApiExecutor) runAction(action ActionSpec) (out string, err error) {
 	if action.App.Sync != nil {
 		err = syncAppsParallel(*action.App.Sync, action.Timeout, appClient)
 		if err != nil {
+			return "", fmt.Errorf("failed to sync apps: %w", err)
 		}
 	}
 	if action.App.Diff != nil {
 		out, err = diffApp(*action.App.Diff, action.Timeout, appClient, settingsClient)
 		if err != nil {
+			return "", fmt.Errorf("failed to diff app: %w", err)
 		}
 	}
 	return out, err

internal/plugin.go

@@ -20,6 +20,7 @@ var (
 
 // Executor performs the tasks requested by the Workflow.
 type Executor interface {
+	Authorize(req *http.Request) error
 	// Execute runs commands based on the args provided from the workflow
 	Execute(args executor.ExecuteTemplateArgs) executor.ExecuteTemplateReply
 }

internal/types.go

@@ -2,7 +2,7 @@ package argocd
 
 // PluginSpec represents the `plugin` block of an Argo Workflows template.
 type PluginSpec struct {
-	ArgoCD ActionSpec `json:"argocd,omitempty"`
+	ArgoCD *ActionSpec `json:"argocd,omitempty"`
 }
 
 type ActionSpec struct {

manifests/argocd-executor-plugin-configmap.yaml

@@ -7,8 +7,8 @@ data:
     - name: ARGOCD_AUTH_TOKEN
       valueFrom:
         secretKeyRef:
-          key: jwt.txt
-          name: argocd-sync-token
+          key: token
+          name: argocd-token
     - name: ARGOCD_SERVER
       value: argocd-server.argocd.svc.cluster.local
     image: crenshawdotdev/argocd-executor-plugin:v0.0.7

manifests/plugin.yaml

@@ -17,8 +17,8 @@ spec:
         - name: ARGOCD_AUTH_TOKEN
           valueFrom:
             secretKeyRef:
-              name: argocd-sync-token
-              key: jwt.txt
+              name: argocd-token
+              key: token
         - name: ARGOCD_SERVER
           value: argocd-server.argocd.svc.cluster.local
       ports:

scripts/setup_argocd.sh

@@ -29,6 +29,6 @@ argocd proj role add-policy guestbook sync --action sync -o '*' --port-forward -
 argocd app create guestbook --upsert --project guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path guestbook --dest-namespace guestbook --dest-server https://kubernetes.default.svc --directory-recurse --port-forward --port-forward-namespace argocd
 
 # Create role token
-argocd proj role create-token guestbook sync -i argocd-workflows-plugin -t --port-forward --port-forward-namespace argocd | tr -d '\n' > ./jwt.txt
-kubectl create secret generic argocd-sync-token -n argo --save-config --dry-run=client --from-file=./jwt.txt -oyaml | kubectl apply -f -
-rm ./jwt.txt
+argocd proj role create-token guestbook sync -i argocd-workflows-plugin -t --port-forward --port-forward-namespace argocd | tr -d '\n' > ./token
+kubectl create secret generic argocd-token -n argo --save-config --dry-run=client --from-file=./token -oyaml | kubectl apply -f -
+rm ./token