Skip to content

Commit

Permalink
feat: allow webhook settings to be referenced by external secret (arg…
Browse files Browse the repository at this point in the history
…oproj#16262)

Signed-off-by: Arthur Outhenin-Chalandre <[email protected]>
Signed-off-by: Mangaal <[email protected]>
  • Loading branch information
MrFreezeex authored and Mangaal committed Mar 14, 2024
1 parent 37de407 commit b9cb61c
Show file tree
Hide file tree
Showing 4 changed files with 30 additions and 29 deletions.
2 changes: 1 addition & 1 deletion docs/operator-manual/user-management/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -500,7 +500,7 @@ data:

#### Alternative

If you want to store sensitive data in **another** Kubernetes `Secret`, instead of `argocd-secret`. ArgoCD knows to check the keys under `data` in your Kubernetes `Secret` for a corresponding key whenever a value in a configmap starts with `$`, then your Kubernetes `Secret` name and `:` (colon).
If you want to store sensitive data in **another** Kubernetes `Secret`, instead of `argocd-secret`. ArgoCD knows to check the keys under `data` in your Kubernetes `Secret` for a corresponding key whenever a value in a configmap or secret starts with `$`, then your Kubernetes `Secret` name and `:` (colon).

Syntax: `$<k8s_secret_name>:<a_key_in_that_k8s_secret>`

Expand Down
10 changes: 10 additions & 0 deletions docs/operator-manual/webhook.md
Original file line number Diff line number Diff line change
Expand Up @@ -97,3 +97,13 @@ stringData:
```
After saving, the changes should take effect automatically.
### Alternative
If you want to store webhook data in **another** Kubernetes `Secret`, instead of `argocd-secret`. ArgoCD knows to check the keys under `data` in your Kubernetes `Secret` starts with `$`, then your Kubernetes `Secret` name and `:` (colon).

Syntax: `$<k8s_secret_name>:<a_key_in_that_k8s_secret>`

> NOTE: Secret must have label `app.kubernetes.io/part-of: argocd`

For more information refer to the corresponding section in the [User Management Documentation](user-management/index.md#alternative).
30 changes: 9 additions & 21 deletions util/settings/settings.go
Original file line number Diff line number Diff line change
Expand Up @@ -1495,27 +1495,6 @@ func (mgr *SettingsManager) updateSettingsFromSecret(settings *ArgoCDSettings, a
} else {
errs = append(errs, &incompleteSettingsError{message: "server.secretkey is missing"})
}
if githubWebhookSecret := argoCDSecret.Data[settingsWebhookGitHubSecretKey]; len(githubWebhookSecret) > 0 {
settings.WebhookGitHubSecret = string(githubWebhookSecret)
}
if gitlabWebhookSecret := argoCDSecret.Data[settingsWebhookGitLabSecretKey]; len(gitlabWebhookSecret) > 0 {
settings.WebhookGitLabSecret = string(gitlabWebhookSecret)
}
if bitbucketWebhookUUID := argoCDSecret.Data[settingsWebhookBitbucketUUIDKey]; len(bitbucketWebhookUUID) > 0 {
settings.WebhookBitbucketUUID = string(bitbucketWebhookUUID)
}
if bitbucketserverWebhookSecret := argoCDSecret.Data[settingsWebhookBitbucketServerSecretKey]; len(bitbucketserverWebhookSecret) > 0 {
settings.WebhookBitbucketServerSecret = string(bitbucketserverWebhookSecret)
}
if gogsWebhookSecret := argoCDSecret.Data[settingsWebhookGogsSecretKey]; len(gogsWebhookSecret) > 0 {
settings.WebhookGogsSecret = string(gogsWebhookSecret)
}
if azureDevOpsUsername := argoCDSecret.Data[settingsWebhookAzureDevOpsUsernameKey]; len(azureDevOpsUsername) > 0 {
settings.WebhookAzureDevOpsUsername = string(azureDevOpsUsername)
}
if azureDevOpsPassword := argoCDSecret.Data[settingsWebhookAzureDevOpsPasswordKey]; len(azureDevOpsPassword) > 0 {
settings.WebhookAzureDevOpsPassword = string(azureDevOpsPassword)
}

// The TLS certificate may be externally managed. We try to load it from an
// external secret first. If the external secret doesn't exist, we either
Expand Down Expand Up @@ -1555,6 +1534,15 @@ func (mgr *SettingsManager) updateSettingsFromSecret(settings *ArgoCDSettings, a
if len(errs) > 0 {
return errs[0]
}

settings.WebhookGitHubSecret = ReplaceStringSecret(string(argoCDSecret.Data[settingsWebhookGitHubSecretKey]), settings.Secrets)
settings.WebhookGitLabSecret = ReplaceStringSecret(string(argoCDSecret.Data[settingsWebhookGitLabSecretKey]), settings.Secrets)
settings.WebhookBitbucketUUID = ReplaceStringSecret(string(argoCDSecret.Data[settingsWebhookBitbucketUUIDKey]), settings.Secrets)
settings.WebhookBitbucketServerSecret = ReplaceStringSecret(string(argoCDSecret.Data[settingsWebhookBitbucketServerSecretKey]), settings.Secrets)
settings.WebhookGogsSecret = ReplaceStringSecret(string(argoCDSecret.Data[settingsWebhookGogsSecretKey]), settings.Secrets)
settings.WebhookAzureDevOpsUsername = ReplaceStringSecret(string(argoCDSecret.Data[settingsWebhookAzureDevOpsUsernameKey]), settings.Secrets)
settings.WebhookAzureDevOpsPassword = ReplaceStringSecret(string(argoCDSecret.Data[settingsWebhookAzureDevOpsPasswordKey]), settings.Secrets)

return nil
}

Expand Down
17 changes: 10 additions & 7 deletions util/settings/settings_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1241,9 +1241,9 @@ func TestDownloadArgoCDBinaryUrls(t *testing.T) {
func TestSecretKeyRef(t *testing.T) {
data := map[string]string{
"oidc.config": `name: Okta
issuer: $acme:issuerSecret
issuer: $ext:issuerSecret
clientID: aaaabbbbccccddddeee
clientSecret: $acme:clientSecret
clientSecret: $ext:clientSecret
# Optional set of OIDC scopes to request. If omitted, defaults to: ["openid", "profile", "email", "groups"]
requestedScopes: ["openid", "profile", "email"]
# Optional set of OIDC claims to request on the ID token.
Expand All @@ -1265,28 +1265,31 @@ requestedIDTokenClaims: {"groups": {"essential": true}}`,
Namespace: "default",
},
Data: map[string][]byte{
"admin.password": nil,
"server.secretkey": nil,
"admin.password": nil,
"server.secretkey": nil,
"webhook.github.secret": []byte("$ext:webhook.github.secret"),
},
}
secret := &v1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: "acme",
Name: "ext",
Namespace: "default",
Labels: map[string]string{
"app.kubernetes.io/part-of": "argocd",
},
},
Data: map[string][]byte{
"issuerSecret": []byte("https://dev-123456.oktapreview.com"),
"clientSecret": []byte("deadbeef"),
"issuerSecret": []byte("https://dev-123456.oktapreview.com"),
"clientSecret": []byte("deadbeef"),
"webhook.github.secret": []byte("mywebhooksecret"),
},
}
kubeClient := fake.NewSimpleClientset(cm, secret, argocdSecret)
settingsManager := NewSettingsManager(context.Background(), kubeClient, "default")

settings, err := settingsManager.GetSettings()
assert.NoError(t, err)
assert.Equal(t, settings.WebhookGitHubSecret, "mywebhooksecret")

oidcConfig := settings.OIDCConfig()
assert.Equal(t, oidcConfig.Issuer, "https://dev-123456.oktapreview.com")
Expand Down

0 comments on commit b9cb61c

Please sign in to comment.