Skip to content

Commit 847ed56

Browse files
authored
feat: declarative management of Argo CD webhook secrets (other providers) (#2178)
* feat: declarative management of Argo CD webhook secrets (other providers) Signed-off-by: Atif Ali <atali@redhat.com> * resolve Oliver and coderabbit review comments Signed-off-by: Atif Ali <atali@redhat.com> * Sync the webhook refs on 1st argocd-secret creation && add link to keys.go Signed-off-by: Atif Ali <atali@redhat.com> * Keep Azure DevOps credentials atomic and preserve unmanaged webhook keys Signed-off-by: Atif Ali <atali@redhat.com> * add suggested coderabbitai unit test Signed-off-by: Atif Ali <atali@redhat.com> --------- Signed-off-by: Atif Ali <atali@redhat.com>
1 parent d1573cf commit 847ed56

14 files changed

Lines changed: 2523 additions & 269 deletions

api/v1alpha1/argocd_conversion.go

Lines changed: 50 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1049,35 +1049,73 @@ func ConvertAlphaToBetaWebhookSecrets(src *ArgoCDWebhookSecretsSpec) *v1beta1.Ar
10491049
}
10501050
dst := &v1beta1.ArgoCDWebhookSecretsSpec{}
10511051
if src.GitHub != nil {
1052-
dst.GitHub = &v1beta1.ArgoCDWebhookSecretsGitHub{}
1053-
if src.GitHub.SecretRef != nil {
1054-
dst.GitHub.SecretRef = &v1beta1.WebhookSecretKeySelector{
1055-
Name: src.GitHub.SecretRef.Name,
1056-
Key: src.GitHub.SecretRef.Key,
1057-
}
1052+
dst.GitHub = &v1beta1.ArgoCDWebhookSecretsGitHub{WebhookSecretRef: copyAlphaToBetaWebhookRef(src.GitHub.WebhookSecretRef)}
1053+
}
1054+
if src.GitLab != nil {
1055+
dst.GitLab = &v1beta1.ArgoCDWebhookSecretsGitLab{WebhookSecretRef: copyAlphaToBetaWebhookRef(src.GitLab.WebhookSecretRef)}
1056+
}
1057+
if src.Bitbucket != nil {
1058+
dst.Bitbucket = &v1beta1.ArgoCDWebhookSecretsBitbucket{WebhookUUIDSecretRef: copyAlphaToBetaWebhookRef(src.Bitbucket.WebhookUUIDSecretRef)}
1059+
}
1060+
if src.BitbucketServer != nil {
1061+
dst.BitbucketServer = &v1beta1.ArgoCDWebhookSecretsBitbucketServer{WebhookSecretRef: copyAlphaToBetaWebhookRef(src.BitbucketServer.WebhookSecretRef)}
1062+
}
1063+
if src.Gogs != nil {
1064+
dst.Gogs = &v1beta1.ArgoCDWebhookSecretsGogs{WebhookSecretRef: copyAlphaToBetaWebhookRef(src.Gogs.WebhookSecretRef)}
1065+
}
1066+
if src.AzureDevOps != nil {
1067+
dst.AzureDevOps = &v1beta1.ArgoCDWebhookSecretsAzureDevOps{
1068+
UsernameSecretRef: copyAlphaToBetaWebhookRef(src.AzureDevOps.UsernameSecretRef),
1069+
PasswordSecretRef: copyAlphaToBetaWebhookRef(src.AzureDevOps.PasswordSecretRef),
10581070
}
10591071
}
10601072
return dst
10611073
}
10621074

1075+
func copyAlphaToBetaWebhookRef(src *WebhookSecretKeySelector) *v1beta1.WebhookSecretKeySelector {
1076+
if src == nil {
1077+
return nil
1078+
}
1079+
return &v1beta1.WebhookSecretKeySelector{Name: src.Name, Key: src.Key}
1080+
}
1081+
10631082
// ConvertBetaToAlphaWebhookSecrets converts webhook secret refs from v1beta1 to v1alpha1.
10641083
func ConvertBetaToAlphaWebhookSecrets(src *v1beta1.ArgoCDWebhookSecretsSpec) *ArgoCDWebhookSecretsSpec {
10651084
if src == nil {
10661085
return nil
10671086
}
10681087
dst := &ArgoCDWebhookSecretsSpec{}
10691088
if src.GitHub != nil {
1070-
dst.GitHub = &ArgoCDWebhookSecretsGitHub{}
1071-
if src.GitHub.SecretRef != nil {
1072-
dst.GitHub.SecretRef = &WebhookSecretKeySelector{
1073-
Name: src.GitHub.SecretRef.Name,
1074-
Key: src.GitHub.SecretRef.Key,
1075-
}
1089+
dst.GitHub = &ArgoCDWebhookSecretsGitHub{WebhookSecretRef: copyBetaToAlphaWebhookRef(src.GitHub.WebhookSecretRef)}
1090+
}
1091+
if src.GitLab != nil {
1092+
dst.GitLab = &ArgoCDWebhookSecretsGitLab{WebhookSecretRef: copyBetaToAlphaWebhookRef(src.GitLab.WebhookSecretRef)}
1093+
}
1094+
if src.Bitbucket != nil {
1095+
dst.Bitbucket = &ArgoCDWebhookSecretsBitbucket{WebhookUUIDSecretRef: copyBetaToAlphaWebhookRef(src.Bitbucket.WebhookUUIDSecretRef)}
1096+
}
1097+
if src.BitbucketServer != nil {
1098+
dst.BitbucketServer = &ArgoCDWebhookSecretsBitbucketServer{WebhookSecretRef: copyBetaToAlphaWebhookRef(src.BitbucketServer.WebhookSecretRef)}
1099+
}
1100+
if src.Gogs != nil {
1101+
dst.Gogs = &ArgoCDWebhookSecretsGogs{WebhookSecretRef: copyBetaToAlphaWebhookRef(src.Gogs.WebhookSecretRef)}
1102+
}
1103+
if src.AzureDevOps != nil {
1104+
dst.AzureDevOps = &ArgoCDWebhookSecretsAzureDevOps{
1105+
UsernameSecretRef: copyBetaToAlphaWebhookRef(src.AzureDevOps.UsernameSecretRef),
1106+
PasswordSecretRef: copyBetaToAlphaWebhookRef(src.AzureDevOps.PasswordSecretRef),
10761107
}
10771108
}
10781109
return dst
10791110
}
10801111

1112+
func copyBetaToAlphaWebhookRef(src *v1beta1.WebhookSecretKeySelector) *WebhookSecretKeySelector {
1113+
if src == nil {
1114+
return nil
1115+
}
1116+
return &WebhookSecretKeySelector{Name: src.Name, Key: src.Key}
1117+
}
1118+
10811119
func ConvertAlphaToBetaNamespaceManagement(src []ManagedNamespaces) []v1beta1.ManagedNamespaces {
10821120
var dst []v1beta1.ManagedNamespaces
10831121
for _, s := range src {

api/v1alpha1/argocd_types.go

Lines changed: 51 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -908,15 +908,63 @@ type ManagedNamespaces struct {
908908
// ArgoCDWebhookSecretsSpec holds declarative references to Secrets for Git provider webhook credentials.
909909
// +k8s:openapi-gen=true
910910
type ArgoCDWebhookSecretsSpec struct {
911-
// GitHub: Secret key reference for the webhook secret used to verify incoming webhook requests.
911+
// GitHub: Secret key reference for the GitHub webhook shared secret.
912912
GitHub *ArgoCDWebhookSecretsGitHub `json:"github,omitempty"`
913+
// GitLab: Secret key reference for the GitLab webhook shared secret.
914+
GitLab *ArgoCDWebhookSecretsGitLab `json:"gitlab,omitempty"`
915+
// Bitbucket: Secret key reference for the Bitbucket Cloud webhook UUID.
916+
Bitbucket *ArgoCDWebhookSecretsBitbucket `json:"bitbucket,omitempty"`
917+
// BitbucketServer: Secret key reference for the Bitbucket Server webhook secret.
918+
BitbucketServer *ArgoCDWebhookSecretsBitbucketServer `json:"bitbucketServer,omitempty"`
919+
// Gogs: Secret key reference for the Gogs webhook shared secret.
920+
Gogs *ArgoCDWebhookSecretsGogs `json:"gogs,omitempty"`
921+
// AzureDevOps: Secret key references for the Azure DevOps webhook username and password (or PAT).
922+
AzureDevOps *ArgoCDWebhookSecretsAzureDevOps `json:"azureDevOps,omitempty"`
913923
}
914924

915925
// ArgoCDWebhookSecretsGitHub declares where to read the GitHub webhook secret.
916926
// +k8s:openapi-gen=true
917927
type ArgoCDWebhookSecretsGitHub struct {
918-
// SecretRef points to the key holding the webhook secret value.
919-
SecretRef *WebhookSecretKeySelector `json:"secretRef,omitempty"`
928+
// WebhookSecretRef points to the key holding the GitHub webhook shared secret.
929+
WebhookSecretRef *WebhookSecretKeySelector `json:"webhookSecretRef,omitempty"`
930+
}
931+
932+
// ArgoCDWebhookSecretsGitLab declares where to read the GitLab webhook secret.
933+
// +k8s:openapi-gen=true
934+
type ArgoCDWebhookSecretsGitLab struct {
935+
// WebhookSecretRef points to the key holding the GitLab webhook shared secret.
936+
WebhookSecretRef *WebhookSecretKeySelector `json:"webhookSecretRef,omitempty"`
937+
}
938+
939+
// ArgoCDWebhookSecretsBitbucket declares where to read the Bitbucket Cloud webhook UUID.
940+
// +k8s:openapi-gen=true
941+
type ArgoCDWebhookSecretsBitbucket struct {
942+
// WebhookUUIDSecretRef points to the key holding the Bitbucket Cloud webhook UUID.
943+
WebhookUUIDSecretRef *WebhookSecretKeySelector `json:"webhookUUIDSecretRef,omitempty"`
944+
}
945+
946+
// ArgoCDWebhookSecretsBitbucketServer declares where to read the Bitbucket Server webhook secret.
947+
// +k8s:openapi-gen=true
948+
type ArgoCDWebhookSecretsBitbucketServer struct {
949+
// WebhookSecretRef points to the key holding the Bitbucket Server webhook shared secret.
950+
WebhookSecretRef *WebhookSecretKeySelector `json:"webhookSecretRef,omitempty"`
951+
}
952+
953+
// ArgoCDWebhookSecretsGogs declares where to read the Gogs webhook secret.
954+
// +k8s:openapi-gen=true
955+
type ArgoCDWebhookSecretsGogs struct {
956+
// WebhookSecretRef points to the key holding the Gogs webhook shared secret.
957+
WebhookSecretRef *WebhookSecretKeySelector `json:"webhookSecretRef,omitempty"`
958+
}
959+
960+
// ArgoCDWebhookSecretsAzureDevOps declares where to read the Azure DevOps webhook credentials.
961+
// +k8s:openapi-gen=true
962+
// +kubebuilder:validation:XValidation:rule="(has(self.usernameSecretRef) && has(self.passwordSecretRef)) || (!has(self.usernameSecretRef) && !has(self.passwordSecretRef))",message="usernameSecretRef and passwordSecretRef must be set together"
963+
type ArgoCDWebhookSecretsAzureDevOps struct {
964+
// UsernameSecretRef points to the key holding the username.
965+
UsernameSecretRef *WebhookSecretKeySelector `json:"usernameSecretRef,omitempty"`
966+
// PasswordSecretRef points to the key holding the password or PAT.
967+
PasswordSecretRef *WebhookSecretKeySelector `json:"passwordSecretRef,omitempty"`
920968
}
921969

922970
// WebhookSecretKeySelector references one key within a Secret.

api/v1alpha1/zz_generated.deepcopy.go

Lines changed: 132 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

api/v1beta1/argocd_types.go

Lines changed: 51 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1095,15 +1095,63 @@ type ManagedNamespaces struct {
10951095
// ArgoCDWebhookSecretsSpec holds declarative references to Secrets for Git provider webhook credentials.
10961096
// +k8s:openapi-gen=true
10971097
type ArgoCDWebhookSecretsSpec struct {
1098-
// GitHub: Secret key reference for the webhook secret used to verify incoming webhook requests.
1098+
// GitHub: Secret key reference for the GitHub webhook shared secret.
10991099
GitHub *ArgoCDWebhookSecretsGitHub `json:"github,omitempty"`
1100+
// GitLab: Secret key reference for the GitLab webhook shared secret.
1101+
GitLab *ArgoCDWebhookSecretsGitLab `json:"gitlab,omitempty"`
1102+
// Bitbucket: Secret key reference for the Bitbucket Cloud webhook UUID.
1103+
Bitbucket *ArgoCDWebhookSecretsBitbucket `json:"bitbucket,omitempty"`
1104+
// BitbucketServer: Secret key reference for the Bitbucket Server webhook secret.
1105+
BitbucketServer *ArgoCDWebhookSecretsBitbucketServer `json:"bitbucketServer,omitempty"`
1106+
// Gogs: Secret key reference for the Gogs webhook shared secret.
1107+
Gogs *ArgoCDWebhookSecretsGogs `json:"gogs,omitempty"`
1108+
// AzureDevOps: Secret key references for the Azure DevOps webhook username and password (or PAT).
1109+
AzureDevOps *ArgoCDWebhookSecretsAzureDevOps `json:"azureDevOps,omitempty"`
11001110
}
11011111

11021112
// ArgoCDWebhookSecretsGitHub declares where to read the GitHub webhook secret.
11031113
// +k8s:openapi-gen=true
11041114
type ArgoCDWebhookSecretsGitHub struct {
1105-
// SecretRef points to the key holding the webhook secret value.
1106-
SecretRef *WebhookSecretKeySelector `json:"secretRef,omitempty"`
1115+
// WebhookSecretRef points to the key holding the GitHub webhook shared secret.
1116+
WebhookSecretRef *WebhookSecretKeySelector `json:"webhookSecretRef,omitempty"`
1117+
}
1118+
1119+
// ArgoCDWebhookSecretsGitLab declares where to read the GitLab webhook secret.
1120+
// +k8s:openapi-gen=true
1121+
type ArgoCDWebhookSecretsGitLab struct {
1122+
// WebhookSecretRef points to the key holding the GitLab webhook shared secret.
1123+
WebhookSecretRef *WebhookSecretKeySelector `json:"webhookSecretRef,omitempty"`
1124+
}
1125+
1126+
// ArgoCDWebhookSecretsBitbucket declares where to read the Bitbucket Cloud webhook UUID.
1127+
// +k8s:openapi-gen=true
1128+
type ArgoCDWebhookSecretsBitbucket struct {
1129+
// WebhookUUIDSecretRef points to the key holding the Bitbucket Cloud webhook UUID.
1130+
WebhookUUIDSecretRef *WebhookSecretKeySelector `json:"webhookUUIDSecretRef,omitempty"`
1131+
}
1132+
1133+
// ArgoCDWebhookSecretsBitbucketServer declares where to read the Bitbucket Server webhook secret.
1134+
// +k8s:openapi-gen=true
1135+
type ArgoCDWebhookSecretsBitbucketServer struct {
1136+
// WebhookSecretRef points to the key holding the Bitbucket Server webhook shared secret.
1137+
WebhookSecretRef *WebhookSecretKeySelector `json:"webhookSecretRef,omitempty"`
1138+
}
1139+
1140+
// ArgoCDWebhookSecretsGogs declares where to read the Gogs webhook secret.
1141+
// +k8s:openapi-gen=true
1142+
type ArgoCDWebhookSecretsGogs struct {
1143+
// WebhookSecretRef points to the key holding the Gogs webhook shared secret.
1144+
WebhookSecretRef *WebhookSecretKeySelector `json:"webhookSecretRef,omitempty"`
1145+
}
1146+
1147+
// ArgoCDWebhookSecretsAzureDevOps declares where to read the Azure DevOps webhook credentials.
1148+
// +k8s:openapi-gen=true
1149+
// +kubebuilder:validation:XValidation:rule="(has(self.usernameSecretRef) && has(self.passwordSecretRef)) || (!has(self.usernameSecretRef) && !has(self.passwordSecretRef))",message="usernameSecretRef and passwordSecretRef must be set together"
1150+
type ArgoCDWebhookSecretsAzureDevOps struct {
1151+
// UsernameSecretRef points to the key holding the username.
1152+
UsernameSecretRef *WebhookSecretKeySelector `json:"usernameSecretRef,omitempty"`
1153+
// PasswordSecretRef points to the key holding the password or PAT.
1154+
PasswordSecretRef *WebhookSecretKeySelector `json:"passwordSecretRef,omitempty"`
11071155
}
11081156

11091157
// WebhookSecretKeySelector references one key within a Secret.

0 commit comments

Comments
 (0)