diff --git a/docs/basics/update-methods.md b/docs/basics/update-methods.md index e64947ad..404b5aa4 100644 --- a/docs/basics/update-methods.md +++ b/docs/basics/update-methods.md @@ -123,7 +123,9 @@ Example: argocd-image-updater.argoproj.io/write-back-method: git:secret:argocd-image-updater/git-creds ``` -If the repository is accessed using HTTPS, the secret must contain two fields: +If the repository is accessed using HTTPS, the secret must contain either user credentials or GitHub app credentials. + +If the repository is accessed using user credentials, the secret requires two fields `username` which holds the Git username, and `password` which holds the user's password or a private access token (PAT) with write access to the repository. You can generate such a secret using `kubectl`, e.g.: @@ -134,6 +136,16 @@ kubectl -n argocd-image-updater create secret generic git-creds \ --from-literal=password=somepassword ``` +If the repository is accessed using GitHub app credentials, the secret requires three fields `githubAppID` which holds the GitHub Application ID, `githubAppInstallationID` which holds the GitHub Organization Installation ID, and `githubAppPrivateKey` which holds the GitHub Application private key. The GitHub Application must be installed into the target repository with write access. +You can generate such a secret using `kubectl`, e.g.: + +```bash +kubectl -n argocd-image-updater create secret generic git-creds \ + --from-literal=githubAppID=applicationid \ + --from-literal=githubAppInstallationID=installationid \ + --from-literal=githubAppPrivateKey='-----BEGIN RSA PRIVATE KEY-----PRIVATEKEYDATA-----END RSA PRIVATE KEY-----' +``` + If the repository is accessed using SSH, the secret must contain the field `sshPrivateKey`, which holds a SSH private key in OpenSSH-compatible PEM format. To create such a secret from an existing private key, you can use diff --git a/pkg/argocd/gitcreds.go b/pkg/argocd/gitcreds.go index d7996026..0d8ccf16 100644 --- a/pkg/argocd/gitcreds.go +++ b/pkg/argocd/gitcreds.go @@ -3,6 +3,7 @@ package argocd import ( "context" "fmt" + "strconv" "strings" "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1" @@ -66,14 +67,25 @@ func getCredsFromSecret(wbc *WriteBackConfig, credentialsSecret string, kubeClie } return git.NewSSHCreds(string(sshPrivateKey), "", true), nil } else if git.IsHTTPSURL(wbc.GitRepo) { - var username, password []byte - if username, ok = credentials["username"]; !ok { - return nil, fmt.Errorf("invalid secret %s: does not contain field username", credentialsSecret) + var username, password, githubAppID, githubAppInstallationID, githubAppPrivateKey []byte + if githubAppID, ok = credentials["githubAppID"]; ok { + if githubAppInstallationID, ok = credentials["githubAppInstallationID"]; !ok { + return nil, fmt.Errorf("invalid secret %s: does not contain field githubAppInstallationID", credentialsSecret) + } + if githubAppPrivateKey, ok = credentials["githubAppPrivateKey"]; !ok { + return nil, fmt.Errorf("invalid secret %s: does not contain field githubAppPrivateKey", credentialsSecret) + } + // converting byte array to string and ultimately int64 for NewGitHubAppCreds + intGithubAppID, _ := strconv.ParseInt(string(githubAppID), 10, 64) + intGithubAppInstallationID, _ := strconv.ParseInt(string(githubAppInstallationID), 10, 64) + return git.NewGitHubAppCreds(intGithubAppID, intGithubAppInstallationID, string(githubAppPrivateKey), "", "", "", "", true), nil + } else if username, ok = credentials["username"]; ok { + if password, ok = credentials["password"]; !ok { + return nil, fmt.Errorf("invalid secret %s: does not contain field password", credentialsSecret) + } + return git.NewHTTPSCreds(string(username), string(password), "", "", true, ""), nil } - if password, ok = credentials["password"]; !ok { - return nil, fmt.Errorf("invalid secret %s: does not contain field password", credentialsSecret) - } - return git.NewHTTPSCreds(string(username), string(password), "", "", true, ""), nil + return nil, fmt.Errorf("invalid repository credentials in secret %s: does not contain githubAppID or username", credentialsSecret) } return nil, fmt.Errorf("unknown repository type") }