feat: allow webhook settings to be referenced by external secret

Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@ledger.fr>
argoproj · Nov 7, 2023 · d3ddebe · d3ddebe
1 parent 4254889
commit d3ddebe
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 28 deletions.
diff --git a/util/settings/settings.go b/util/settings/settings.go
@@ -1489,27 +1489,6 @@ func (mgr *SettingsManager) updateSettingsFromSecret(settings *ArgoCDSettings, a
 	} else {
 		errs = append(errs, &incompleteSettingsError{message: "server.secretkey is missing"})
 	}
-	if githubWebhookSecret := argoCDSecret.Data[settingsWebhookGitHubSecretKey]; len(githubWebhookSecret) > 0 {
-		settings.WebhookGitHubSecret = string(githubWebhookSecret)
-	}
-	if gitlabWebhookSecret := argoCDSecret.Data[settingsWebhookGitLabSecretKey]; len(gitlabWebhookSecret) > 0 {
-		settings.WebhookGitLabSecret = string(gitlabWebhookSecret)
-	}
-	if bitbucketWebhookUUID := argoCDSecret.Data[settingsWebhookBitbucketUUIDKey]; len(bitbucketWebhookUUID) > 0 {
-		settings.WebhookBitbucketUUID = string(bitbucketWebhookUUID)
-	}
-	if bitbucketserverWebhookSecret := argoCDSecret.Data[settingsWebhookBitbucketServerSecretKey]; len(bitbucketserverWebhookSecret) > 0 {
-		settings.WebhookBitbucketServerSecret = string(bitbucketserverWebhookSecret)
-	}
-	if gogsWebhookSecret := argoCDSecret.Data[settingsWebhookGogsSecretKey]; len(gogsWebhookSecret) > 0 {
-		settings.WebhookGogsSecret = string(gogsWebhookSecret)
-	}
-	if azureDevOpsUsername := argoCDSecret.Data[settingsWebhookAzureDevOpsUsernameKey]; len(azureDevOpsUsername) > 0 {
-		settings.WebhookAzureDevOpsUsername = string(azureDevOpsUsername)
-	}
-	if azureDevOpsPassword := argoCDSecret.Data[settingsWebhookAzureDevOpsPasswordKey]; len(azureDevOpsPassword) > 0 {
-		settings.WebhookAzureDevOpsPassword = string(azureDevOpsPassword)
-	}
 
 	// The TLS certificate may be externally managed. We try to load it from an
 	// external secret first. If the external secret doesn't exist, we either
@@ -1549,6 +1528,15 @@ func (mgr *SettingsManager) updateSettingsFromSecret(settings *ArgoCDSettings, a
 	if len(errs) > 0 {
 		return errs[0]
 	}
+
+	settings.WebhookGitHubSecret = ReplaceStringSecret(string(argoCDSecret.Data[settingsWebhookGitHubSecretKey]), settings.Secrets)
+	settings.WebhookGitLabSecret = ReplaceStringSecret(string(argoCDSecret.Data[settingsWebhookGitLabSecretKey]), settings.Secrets)
+	settings.WebhookBitbucketUUID = ReplaceStringSecret(string(argoCDSecret.Data[settingsWebhookBitbucketUUIDKey]), settings.Secrets)
+	settings.WebhookBitbucketServerSecret = ReplaceStringSecret(string(argoCDSecret.Data[settingsWebhookBitbucketServerSecretKey]), settings.Secrets)
+	settings.WebhookGogsSecret = ReplaceStringSecret(string(argoCDSecret.Data[settingsWebhookGogsSecretKey]), settings.Secrets)
+	settings.WebhookAzureDevOpsUsername = ReplaceStringSecret(string(argoCDSecret.Data[settingsWebhookAzureDevOpsUsernameKey]), settings.Secrets)
+	settings.WebhookAzureDevOpsPassword = ReplaceStringSecret(string(argoCDSecret.Data[settingsWebhookAzureDevOpsPasswordKey]), settings.Secrets)
+
 	return nil
 }
 

diff --git a/util/settings/settings_test.go b/util/settings/settings_test.go
@@ -1241,9 +1241,9 @@ func TestDownloadArgoCDBinaryUrls(t *testing.T) {
 func TestSecretKeyRef(t *testing.T) {
 	data := map[string]string{
 		"oidc.config": `name: Okta
-issuer: $acme:issuerSecret
+issuer: $ext:issuerSecret
 clientID: aaaabbbbccccddddeee
-clientSecret: $acme:clientSecret
+clientSecret: $ext:clientSecret
 # Optional set of OIDC scopes to request. If omitted, defaults to: ["openid", "profile", "email", "groups"]
 requestedScopes: ["openid", "profile", "email"]
 # Optional set of OIDC claims to request on the ID token.
@@ -1265,28 +1265,31 @@ requestedIDTokenClaims: {"groups": {"essential": true}}`,
 			Namespace: "default",
 		},
 		Data: map[string][]byte{
-			"admin.password":   nil,
-			"server.secretkey": nil,
+			"admin.password":        nil,
+			"server.secretkey":      nil,
+			"webhook.github.secret": []byte("$ext:webhook.github.secret"),
 		},
 	}
 	secret := &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      "acme",
+			Name:      "ext",
 			Namespace: "default",
 			Labels: map[string]string{
 				"app.kubernetes.io/part-of": "argocd",
 			},
 		},
 		Data: map[string][]byte{
-			"issuerSecret": []byte("https://dev-123456.oktapreview.com"),
-			"clientSecret": []byte("deadbeef"),
+			"issuerSecret":          []byte("https://dev-123456.oktapreview.com"),
+			"clientSecret":          []byte("deadbeef"),
+			"webhook.github.secret": []byte("mywebhooksecret"),
 		},
 	}
 	kubeClient := fake.NewSimpleClientset(cm, secret, argocdSecret)
 	settingsManager := NewSettingsManager(context.Background(), kubeClient, "default")
 
 	settings, err := settingsManager.GetSettings()
 	assert.NoError(t, err)
+	assert.Equal(t, settings.WebhookGitHubSecret, "mywebhooksecret")
 
 	oidcConfig := settings.OIDCConfig()
 	assert.Equal(t, oidcConfig.Issuer, "https://dev-123456.oktapreview.com")