feat: Support for preserving dependencies charts archives (#16725)

[raz-amir]

This PR adds a feature to allow keeping the dependency charts tgz files. These files are deleted by default as part of the git clean operation that takes place during the checkout flow in the repo server.
WIth this feature enabled, and with the default exclude pattern, git clean will be executed with the exclude flag
However, keeping the tgz files isn't enough, if the dependency version has advanced, since helm template doesn't check that and it succeeds anyway, and before this feature, for performance reasons, helm dependency build is executed only if helm template fails. Therefore, before running helm template we need to verify that the dependency charts versions are satisfied, so a new call to helm dependency list is added, and if no, helm dependency rebuild will be executed before helm template - just if this exclude feature is enabled.
--preserve-dependencies-charts-archives flag added to argocd-repo-server CLI.

Closes: #16725

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• The title of the PR conforms to the Toolchain Guide
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).
• My new feature complies with the feature status guidelines.
• I have added a brief description of why this PR is necessary and/or what this PR solves.
• Optional. My organization is added to USERS.md.
• Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

[codecov]

Codecov Report

Attention: 4 lines in your changes are missing coverage. Please review.

Comparison is base (ecbd24d) 49.50% compared to head (78a63ce) 49.32%.
Report is 55 commits behind head on master.

Files	Patch %	Lines
reposerver/repository/repository.go	91.89%	2 Missing and 1 partial ⚠️
util/git/client.go	92.30%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #16750      +/-   ##
==========================================
- Coverage   49.50%   49.32%   -0.18%     
==========================================
  Files         271      274       +3     
  Lines       47793    48204     +411     
==========================================
+ Hits        23658    23779     +121     
- Misses      21796    22075     +279     
- Partials     2339     2350      +11     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[crenshaw-dev]

Quick glance, just one small change.

[crenshaw-dev]

Could you add a docstring here describing the flag?

[ishitasequeira]

Thanks @ramir-savvy !! Overall PR looks good. Just one comment.

[ishitasequeira]

As a new environment variable is added, can you add the variable to repo-server deployment?

Reference: https://github.com/argoproj/argo-cd/blob/master/manifests/base/repo-server/argocd-repo-server-deployment.yaml#L26

[raz-amir]

Thank you @ishitasequeira!
I added the requested change and also added to additional manifest files that have similar functionality - let me know if I should keep or remove them and stay only with the file requested by you.

[raz-amir]

I removed that question as I just learned that the other files are auto generated

[crenshaw-dev]

@ramir-savvy something I thought about: is this change going to allow an effective bypass of repo access restrictions?

For example, if App A (via Project A) has access to Parent chart and Child chart, App A will be able to pull the private Child chart. And the App B (via Project B) which has access to only the Parent chart will automatically get access to the private Child chart, because the chart is saved and cached.

Is my understanding correct?

[jcogilvie]

This looks like a desirable change to me, but I just wanted to confirm that is there a way to opt into pulling the latest dependency on a particular run.

Say I have chart A that depends on chart B at "~> 1.0.0"

I have 1.0.0 in cache, so dependency is satisfied.

But a bugfix is published in 1.0.1 that I would like to make sure is included going forward. How would I accomplish that? Is that already covered under a force refresh or similar?

[raz-amir]

@crenshaw-dev , I believe you are right, I overlooked the project separation.
Any suggestion on what can be implemented to overcome this?

[raz-amir]

@jcogilvie , good point. I think that this one is also a limitation of this feature. Today, as far as I know, there is no way to force the repo refresh. The only way to do this is to restart the repo server.
I am not sure if this is a valid solution too. Maybe just document this?

@crenshaw-dev , will be great to get your input on this one

[raz-amir]

@crenshaw-dev, did you get the chance to think over the above concerns?
Maybe they can be considered as limitations of this feature (which isn't enabled by default) and documented as such?
Any other ideas will be great.
Thanks