Skip to content

Commit

Permalink
feat: add support for separate GitHub app credentials stored as Kuber…
Browse files Browse the repository at this point in the history
…netes secrets

Signed-off-by: Dustin Lactin <[email protected]>
  • Loading branch information
dlactin committed Dec 7, 2023
1 parent 0252dae commit 15573da
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 8 deletions.
14 changes: 13 additions & 1 deletion docs/basics/update-methods.md
Original file line number Diff line number Diff line change
Expand Up @@ -123,7 +123,9 @@ Example:
argocd-image-updater.argoproj.io/write-back-method: git:secret:argocd-image-updater/git-creds
```

If the repository is accessed using HTTPS, the secret must contain two fields:
If the repository is accessed using HTTPS, the secret must contain either user credentials or GitHub app credentials.

If the repository is accessed using user credentials, the secret requires two fields
`username` which holds the Git username, and `password` which holds the user's
password or a private access token (PAT) with write access to the repository.
You can generate such a secret using `kubectl`, e.g.:
Expand All @@ -134,6 +136,16 @@ kubectl -n argocd-image-updater create secret generic git-creds \
--from-literal=password=somepassword
```

If the repository is accessed using GitHub app credentials, the secret requires three fields `githubAppID` which holds the GitHub Application ID, `githubAppInstallationID` which holds the GitHub Organization Installation ID, and `githubAppPrivateKey` which holds the GitHub Application private key. The GitHub Application must be installed into the target repository with write access.
You can generate such a secret using `kubectl`, e.g.:

```bash
kubectl -n argocd-image-updater create secret generic git-creds \
--from-literal=githubAppID=applicationid \

Check failure on line 144 in docs/basics/update-methods.md

View workflow job for this annotation

GitHub Actions / Spell checking

`applicationid` is not a recognized word. (unrecognized-spelling)
--from-literal=githubAppInstallationID=installationid \

Check failure on line 145 in docs/basics/update-methods.md

View workflow job for this annotation

GitHub Actions / Spell checking

`installationid` is not a recognized word. (unrecognized-spelling)
--from-literal=githubAppPrivateKey='-----BEGIN RSA PRIVATE KEY-----PRIVATEKEYDATA-----END RSA PRIVATE KEY-----'

Check failure on line 146 in docs/basics/update-methods.md

View workflow job for this annotation

GitHub Actions / Spell checking

`PRIVATEKEYDATA` is not a recognized word. (unrecognized-spelling)
```

If the repository is accessed using SSH, the secret must contain the field
`sshPrivateKey`, which holds a SSH private key in OpenSSH-compatible PEM
format. To create such a secret from an existing private key, you can use
Expand Down
26 changes: 19 additions & 7 deletions pkg/argocd/gitcreds.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package argocd
import (
"context"
"fmt"
"strconv"
"strings"

"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
Expand Down Expand Up @@ -66,14 +67,25 @@ func getCredsFromSecret(wbc *WriteBackConfig, credentialsSecret string, kubeClie
}
return git.NewSSHCreds(string(sshPrivateKey), "", true), nil
} else if git.IsHTTPSURL(wbc.GitRepo) {
var username, password []byte
if username, ok = credentials["username"]; !ok {
return nil, fmt.Errorf("invalid secret %s: does not contain field username", credentialsSecret)
var username, password, githubAppID, githubAppInstallationID, githubAppPrivateKey []byte
if githubAppID, ok = credentials["githubAppID"]; ok {
if githubAppInstallationID, ok = credentials["githubAppInstallationID"]; !ok {
return nil, fmt.Errorf("invalid secret %s: does not contain field githubAppInstallationID", credentialsSecret)
}
if githubAppPrivateKey, ok = credentials["githubAppPrivateKey"]; !ok {
return nil, fmt.Errorf("invalid secret %s: does not contain field githubAppPrivateKey", credentialsSecret)
}
// converting byte array to string and ultimately int64 for NewGitHubAppCreds
intGithubAppID, _ := strconv.ParseInt(string(githubAppID), 10, 64)
intGithubAppInstallationID, _ := strconv.ParseInt(string(githubAppInstallationID), 10, 64)
return git.NewGitHubAppCreds(intGithubAppID, intGithubAppInstallationID, string(githubAppPrivateKey), "", "", "", "", true), nil
} else if username, ok = credentials["username"]; ok {
if password, ok = credentials["password"]; !ok {
return nil, fmt.Errorf("invalid secret %s: does not contain field password", credentialsSecret)
}
return git.NewHTTPSCreds(string(username), string(password), "", "", true, ""), nil
}
if password, ok = credentials["password"]; !ok {
return nil, fmt.Errorf("invalid secret %s: does not contain field password", credentialsSecret)
}
return git.NewHTTPSCreds(string(username), string(password), "", "", true, ""), nil
return nil, fmt.Errorf("invalid repository credentials in secret %s: does not contain githubAppID or username", credentialsSecret)
}
return nil, fmt.Errorf("unknown repository type")
}

0 comments on commit 15573da

Please sign in to comment.