fix: universal fallback mechanism to read git credentials#3438
fix: universal fallback mechanism to read git credentials#3438j-zimnowoda wants to merge 11 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
Updates the legacy Git-credentials fallback path so components can retrieve repo credentials from Argo CD resources when the consolidated apl-secrets/apl-git-config Secret is not available.
Changes:
- Switches legacy credential lookup to read from the
argocd/argocd-repo-creds-gitSecret. - Adds a lookup of the
otomi/otomi-apiConfigMap to derive a fallback git branch value.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
| it('should return undefined when secret does not exist', async () => { | ||
| mockGetK8sSecret.mockResolvedValue(undefined) | ||
| const result = await getOldGitCredentials() | ||
| expect(result).toEqual(undefined) | ||
| }) |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
| export async function deleteAplOperatorDeployment(appApi: AppsV1Api): Promise<void> { | ||
| // Due to update of the immutable Deployment field. spec.upgradeStrategy. | ||
| const d = terminal('deleteAplOperatorDeployment') | ||
| try { | ||
| await appApi.deleteNamespacedDeployment({ name: 'apl-operator', namespace: 'apl-operator' }) | ||
| d.info('Deleted apl-operator deployment in apl-operator namespace') | ||
| } catch (error) { | ||
| d.error('Error deleting apl-operator deployment:', error) | ||
| } | ||
| } |
There was a problem hiding this comment.
Usually I would agree, but it is rather unlikely the deployment does not exist when apl-operator runs this code.
| 'apl-operator-apl-operator': { | ||
| post: async () => { | ||
| await deleteAplOperatorDeployment(k8s.app()) | ||
| }, | ||
| }, |
There was a problem hiding this comment.
In a post-upgrade it is probably less likely to interrupt before the completion of the upgrade, but it still could before the state is updated. That would mean that this step could run repeatedly. I would suggest checking on the current upgradeStrategy before deleting the deployment.
| const cm = await getK8sConfigMap('otomi', 'otomi-api', k8s.core()) | ||
| const gitBranch = cm?.data?.GIT_BRANCH || GIT_DEFAULT_CONFIG.branch |
| let secretData = await getK8sSecret('argocd-repo-creds-git', 'argocd') | ||
| if (!secretData) { | ||
| secretData = await getK8sSecret('argocd-repo-creds-gitea', 'argocd') | ||
| } | ||
| secretData = await getK8sSecret('gitea-admin-secret', 'gitea') | ||
| if (secretData?.password) { | ||
| return { | ||
| ...GIT_LEGACY_CONFIG, | ||
| username: secretData.username, | ||
| password: secretData.password, | ||
| } | ||
| // With BYO, `url` contains the full repo URL; otherwise fall back to the legacy Gitea URL | ||
| const repoUrl = secretData?.url || GIT_LEGACY_CONFIG.repoUrl | ||
|
|
| 'apl-operator-apl-operator': { | ||
| post: async () => { | ||
| await deleteAplOperatorDeployment(k8s.app()) | ||
| }, | ||
| }, |
| export async function deleteAplOperatorDeployment(appApi: AppsV1Api): Promise<void> { | ||
| // Due to update of the immutable Deployment field. spec.upgradeStrategy. | ||
| const d = terminal('deleteAplOperatorDeployment') | ||
| try { | ||
| await appApi.deleteNamespacedDeployment({ name: 'apl-operator', namespace: 'apl-operator' }) | ||
| d.info('Deleted apl-operator deployment in apl-operator namespace') | ||
| } catch (error) { | ||
| d.error('Error deleting apl-operator deployment:', error) | ||
| } | ||
| } |
| export async function deleteAplOperatorDeployment(appApi: AppsV1Api): Promise<void> { | ||
| // Due to update of the immutable Deployment field. spec.upgradeStrategy. | ||
| const d = terminal('deleteAplOperatorDeployment') | ||
| try { | ||
| await appApi.deleteNamespacedDeployment({ name: 'apl-operator', namespace: 'apl-operator' }) | ||
| d.info('Deleted apl-operator deployment in apl-operator namespace') | ||
| } catch (error) { | ||
| d.error('Error deleting apl-operator deployment:', error) | ||
| } | ||
| } |
| it('should fall back to legacy gitea secret when git secret is missing', async () => { | ||
| mockGetK8sSecret.mockResolvedValueOnce(undefined).mockResolvedValueOnce({ | ||
| url: 'http://gitea-http.gitea.svc.cluster.local:3000/otomi/values.git', | ||
| username: 'otomi-admin', | ||
| password: 'oldpass', | ||
| }) | ||
| mockGetK8sConfigMap.mockResolvedValue({ data: { GIT_BRANCH: 'main' } }) | ||
|
|
||
| const result = await getOldGitCredentials() | ||
| expect(result).toEqual({ | ||
| repoUrl: 'http://gitea-http.gitea.svc.cluster.local:3000/otomi/values.git', | ||
| username: 'otomi-admin', | ||
| password: 'oldpass', | ||
| branch: 'main', | ||
| }) | ||
| expect(mockGetK8sSecret).toHaveBeenNthCalledWith(1, 'argocd-repo-creds-git', 'argocd') | ||
| expect(mockGetK8sSecret).toHaveBeenNthCalledWith(2, 'argocd-repo-creds-gitea', 'argocd') | ||
| }) |
| it('should return undefined when secret does not exist', async () => { | ||
| mockGetK8sSecret.mockResolvedValue(undefined) | ||
| const result = await getOldGitCredentials() | ||
| expect(result).toEqual(undefined) | ||
| expect(mockGetK8sSecret).toHaveBeenNthCalledWith(1, 'argocd-repo-creds-git', 'argocd') | ||
| expect(mockGetK8sSecret).toHaveBeenNthCalledWith(2, 'argocd-repo-creds-gitea', 'argocd') | ||
| }) |
| return null | ||
| } | ||
|
|
||
| export async function deleteAplOperatorDeployment(appApi: AppsV1Api): Promise<void> { |
There was a problem hiding this comment.
This function is not really Istio-related, as the module name suggests. Should we move it to somewhere more generic?
|
I generally agree with the change, I am just wondering if there is one source (or two resources in the same namespace) where we could obtain the credentials from. |
📌 Summary
Make restoring git credentials universal (i.e.: support migration one external (BYO git) and internal git repository (Gitea).
Delete apl-operator Deployment, so the upgradeStrategy immutable field can be changed.
🔍 Reviewer Notes
Tested with BYO git, where branch not
main🧹 Checklist