Skip to content

fix: universal fallback mechanism to read git credentials#3438

Open
j-zimnowoda wants to merge 11 commits into
mainfrom
APL-1969-1
Open

fix: universal fallback mechanism to read git credentials#3438
j-zimnowoda wants to merge 11 commits into
mainfrom
APL-1969-1

Conversation

@j-zimnowoda

@j-zimnowoda j-zimnowoda commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

📌 Summary

Make restoring git credentials universal (i.e.: support migration one external (BYO git) and internal git repository (Gitea).

Delete apl-operator Deployment, so the upgradeStrategy immutable field can be changed.

🔍 Reviewer Notes

Tested with BYO git, where branch not main

🧹 Checklist

  • Code is readable, maintainable, and robust.
  • Unit tests added/updated

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the legacy Git-credentials fallback path so components can retrieve repo credentials from Argo CD resources when the consolidated apl-secrets/apl-git-config Secret is not available.

Changes:

  • Switches legacy credential lookup to read from the argocd/argocd-repo-creds-git Secret.
  • Adds a lookup of the otomi/otomi-api ConfigMap to derive a fallback git branch value.

Comment thread src/common/git-config.ts
j-zimnowoda and others added 3 commits July 10, 2026 14:41
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@j-zimnowoda j-zimnowoda marked this pull request as ready for review July 10, 2026 13:00
Copilot AI review requested due to automatic review settings July 10, 2026 13:00

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

Comment thread src/common/git-config.ts
Comment thread src/common/git-config.test.ts
Copilot AI review requested due to automatic review settings July 10, 2026 13:48

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

Comment thread src/common/git-config.ts
Comment on lines 158 to 162
it('should return undefined when secret does not exist', async () => {
mockGetK8sSecret.mockResolvedValue(undefined)
const result = await getOldGitCredentials()
expect(result).toEqual(undefined)
})
Copilot AI review requested due to automatic review settings July 10, 2026 13:56

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

Comment thread src/common/git-config.ts
Comment thread src/common/git-config.test.ts
Copilot AI review requested due to automatic review settings July 10, 2026 14:14

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 6 comments.

Comment thread src/common/runtime-upgrades/runtime-upgrades.ts Outdated
Comment thread src/common/runtime-upgrades/runtime-upgrades.ts Outdated
Comment thread src/common/runtime-upgrades/restart-istio-sidecars.ts
Comment thread src/common/runtime-upgrades/restart-istio-sidecars.ts Outdated
Comment thread src/common/git-config.ts
Comment thread src/common/git-config.ts
Copilot AI review requested due to automatic review settings July 10, 2026 14:20

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

Comment thread src/common/runtime-upgrades/runtime-upgrades.ts Outdated
Comment thread src/common/git-config.ts
Comment thread src/common/runtime-upgrades/restart-istio-sidecars.ts Outdated
Copilot AI review requested due to automatic review settings July 10, 2026 14:25
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

Comment on lines +65 to +74
export async function deleteAplOperatorDeployment(appApi: AppsV1Api): Promise<void> {
// Due to update of the immutable Deployment field. spec.upgradeStrategy.
const d = terminal('deleteAplOperatorDeployment')
try {
await appApi.deleteNamespacedDeployment({ name: 'apl-operator', namespace: 'apl-operator' })
d.info('Deleted apl-operator deployment in apl-operator namespace')
} catch (error) {
d.error('Error deleting apl-operator deployment:', error)
}
}

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Usually I would agree, but it is rather unlikely the deployment does not exist when apl-operator runs this code.

Comment on lines +36 to +40
'apl-operator-apl-operator': {
post: async () => {
await deleteAplOperatorDeployment(k8s.app())
},
},

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In a post-upgrade it is probably less likely to interrupt before the completion of the upgrade, but it still could before the state is updated. That would mean that this step could run repeatedly. I would suggest checking on the current upgradeStrategy before deleting the deployment.

Comment thread src/common/git-config.ts
Comment on lines +71 to +72
const cm = await getK8sConfigMap('otomi', 'otomi-api', k8s.core())
const gitBranch = cm?.data?.GIT_BRANCH || GIT_DEFAULT_CONFIG.branch
Copilot AI review requested due to automatic review settings July 10, 2026 14:31

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 6 comments.

Comment thread src/common/git-config.ts
Comment on lines +60 to +66
let secretData = await getK8sSecret('argocd-repo-creds-git', 'argocd')
if (!secretData) {
secretData = await getK8sSecret('argocd-repo-creds-gitea', 'argocd')
}
secretData = await getK8sSecret('gitea-admin-secret', 'gitea')
if (secretData?.password) {
return {
...GIT_LEGACY_CONFIG,
username: secretData.username,
password: secretData.password,
}
// With BYO, `url` contains the full repo URL; otherwise fall back to the legacy Gitea URL
const repoUrl = secretData?.url || GIT_LEGACY_CONFIG.repoUrl

Comment on lines +36 to +40
'apl-operator-apl-operator': {
post: async () => {
await deleteAplOperatorDeployment(k8s.app())
},
},
Comment on lines +65 to +74
export async function deleteAplOperatorDeployment(appApi: AppsV1Api): Promise<void> {
// Due to update of the immutable Deployment field. spec.upgradeStrategy.
const d = terminal('deleteAplOperatorDeployment')
try {
await appApi.deleteNamespacedDeployment({ name: 'apl-operator', namespace: 'apl-operator' })
d.info('Deleted apl-operator deployment in apl-operator namespace')
} catch (error) {
d.error('Error deleting apl-operator deployment:', error)
}
}
Comment on lines +65 to +74
export async function deleteAplOperatorDeployment(appApi: AppsV1Api): Promise<void> {
// Due to update of the immutable Deployment field. spec.upgradeStrategy.
const d = terminal('deleteAplOperatorDeployment')
try {
await appApi.deleteNamespacedDeployment({ name: 'apl-operator', namespace: 'apl-operator' })
d.info('Deleted apl-operator deployment in apl-operator namespace')
} catch (error) {
d.error('Error deleting apl-operator deployment:', error)
}
}
Comment on lines +149 to +166
it('should fall back to legacy gitea secret when git secret is missing', async () => {
mockGetK8sSecret.mockResolvedValueOnce(undefined).mockResolvedValueOnce({
url: 'http://gitea-http.gitea.svc.cluster.local:3000/otomi/values.git',
username: 'otomi-admin',
password: 'oldpass',
})
mockGetK8sConfigMap.mockResolvedValue({ data: { GIT_BRANCH: 'main' } })

const result = await getOldGitCredentials()
expect(result).toEqual({
repoUrl: 'http://gitea-http.gitea.svc.cluster.local:3000/otomi/values.git',
username: 'otomi-admin',
password: 'oldpass',
branch: 'main',
})
expect(mockGetK8sSecret).toHaveBeenNthCalledWith(1, 'argocd-repo-creds-git', 'argocd')
expect(mockGetK8sSecret).toHaveBeenNthCalledWith(2, 'argocd-repo-creds-gitea', 'argocd')
})
Comment on lines 180 to +186
it('should return undefined when secret does not exist', async () => {
mockGetK8sSecret.mockResolvedValue(undefined)
const result = await getOldGitCredentials()
expect(result).toEqual(undefined)
expect(mockGetK8sSecret).toHaveBeenNthCalledWith(1, 'argocd-repo-creds-git', 'argocd')
expect(mockGetK8sSecret).toHaveBeenNthCalledWith(2, 'argocd-repo-creds-gitea', 'argocd')
})
return null
}

export async function deleteAplOperatorDeployment(appApi: AppsV1Api): Promise<void> {

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This function is not really Istio-related, as the module name suggests. Should we move it to somewhere more generic?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

right

@merll

merll commented Jul 11, 2026

Copy link
Copy Markdown
Collaborator

I generally agree with the change, I am just wondering if there is one source (or two resources in the same namespace) where we could obtain the credentials from.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants