feat: Allow proxy to be saved when creating repoCreds (#11351) (#11425)

* fix: allow proxy to be saved in repoCreds (https + github app)

Signed-off-by: Nathanael Liechti <technat@technat.ch>

* chore: changes from codegen

Signed-off-by: Nathanael Liechti <technat@technat.ch>

* chore: add unit test for CreateRepoCreds

Signed-off-by: Nathanael Liechti <technat@technat.ch>

Signed-off-by: Nathanael Liechti <technat@technat.ch>

assets/swagger.json

@@ -7034,6 +7034,10 @@
           "type": "string",
           "title": "Password for authenticating at the repo server"
         },
+        "proxy": {
+          "type": "string",
+          "title": "Proxy specifies the HTTP/HTTPS proxy used to access repos at the repo server"
+        },
         "sshPrivateKey": {
           "type": "string",
           "title": "SSHPrivateKey contains the private key data for authenticating at the repo server using SSH (only Git repos)"

pkg/apis/application/v1alpha1/repository_types.go

@@ -37,6 +37,8 @@ type RepoCreds struct {
 	EnableOCI bool `json:"enableOCI,omitempty" protobuf:"bytes,11,opt,name=enableOCI"`
 	// Type specifies the type of the repoCreds. Can be either "git" or "helm. "git" is assumed if empty or absent.
 	Type string `json:"type,omitempty" protobuf:"bytes,12,opt,name=type"`
+	// Proxy specifies the HTTP/HTTPS proxy used to access repos at the repo server
+	Proxy string `json:"proxy,omitempty" protobuf:"bytes,19,opt,name=proxy"`
 }
 
 // Repository is a repository holding application configurations
@@ -162,6 +164,9 @@ func (repo *Repository) CopyCredentialsFrom(source *RepoCreds) {
 		if repo.GitHubAppEnterpriseBaseURL == "" {
 			repo.GitHubAppEnterpriseBaseURL = source.GitHubAppEnterpriseBaseURL
 		}
+		if repo.Proxy == "" {
+			repo.Proxy = source.Proxy
+		}
 	}
 }
 

ui/src/app/settings/components/repos-list/repos-list.tsx

@@ -64,6 +64,7 @@ interface NewHTTPSRepoCredsParams {
     password: string;
     tlsClientCertData: string;
     tlsClientCertKey: string;
+    proxy: string;
 }
 
 interface NewGitHubAppRepoCredsParams {
@@ -74,6 +75,7 @@ interface NewGitHubAppRepoCredsParams {
     githubAppEnterpriseBaseURL: string;
     tlsClientCertData: string;
     tlsClientCertKey: string;
+    proxy: string;
 }
 
 export enum ConnectionMethod {
@@ -630,7 +632,8 @@ export class ReposList extends React.Component<
                 username: params.username,
                 password: params.password,
                 tlsClientCertData: params.tlsClientCertData,
-                tlsClientCertKey: params.tlsClientCertKey
+                tlsClientCertKey: params.tlsClientCertKey,
+                proxy: params.proxy
             });
         } else {
             this.setState({connecting: true});
@@ -676,7 +679,8 @@ export class ReposList extends React.Component<
                 githubAppInstallationId: params.githubAppInstallationId,
                 githubAppEnterpriseBaseURL: params.githubAppEnterpriseBaseURL,
                 tlsClientCertData: params.tlsClientCertData,
-                tlsClientCertKey: params.tlsClientCertKey
+                tlsClientCertKey: params.tlsClientCertKey,
+                proxy: params.proxy
             });
         } else {
             this.setState({connecting: true});

ui/src/app/shared/services/repocreds-service.ts

@@ -14,17 +14,19 @@ export class RepoCredsService {
         username,
         password,
         tlsClientCertData,
-        tlsClientCertKey
+        tlsClientCertKey,
+        proxy
     }: {
         url: string;
         username: string;
         password: string;
         tlsClientCertData: string;
         tlsClientCertKey: string;
+        proxy: string;
     }): Promise<models.RepoCreds> {
         return requests
             .post('/repocreds')
-            .send({url, username, password, tlsClientCertData, tlsClientCertKey})
+            .send({url, username, password, tlsClientCertData, tlsClientCertKey, proxy})
             .then(res => res.body as models.RepoCreds);
     }
 
@@ -42,7 +44,8 @@ export class RepoCredsService {
         githubAppInstallationId,
         githubAppEnterpriseBaseURL,
         tlsClientCertData,
-        tlsClientCertKey
+        tlsClientCertKey,
+        proxy
     }: {
         url: string;
         githubAppPrivateKey: string;
@@ -51,10 +54,11 @@ export class RepoCredsService {
         githubAppEnterpriseBaseURL: string;
         tlsClientCertData: string;
         tlsClientCertKey: string;
+        proxy: string;
     }): Promise<models.RepoCreds> {
         return requests
             .post('/repocreds')
-            .send({url, githubAppPrivateKey, githubAppId, githubAppInstallationId, githubAppEnterpriseBaseURL, tlsClientCertData, tlsClientCertKey})
+            .send({url, githubAppPrivateKey, githubAppId, githubAppInstallationId, githubAppEnterpriseBaseURL, tlsClientCertData, tlsClientCertKey, proxy})
             .then(res => res.body as models.RepoCreds);
     }
 

util/db/repository_secrets.go

@@ -391,6 +391,7 @@ func (s *secretsRepositoryBackend) secretToRepoCred(secret *corev1.Secret) (*app
 		Type:                       string(secret.Data["type"]),
 		GithubAppPrivateKey:        string(secret.Data["githubAppPrivateKey"]),
 		GitHubAppEnterpriseBaseURL: string(secret.Data["githubAppEnterpriseBaseUrl"]),
+		Proxy:                      string(secret.Data["proxy"]),
 	}
 
 	enableOCI, err := boolOrFalse(secret, "enableOCI")
@@ -431,6 +432,7 @@ func repoCredsToSecret(repoCreds *appsv1.RepoCreds, secret *corev1.Secret) {
 	updateSecretInt(secret, "githubAppID", repoCreds.GithubAppId)
 	updateSecretInt(secret, "githubAppInstallationID", repoCreds.GithubAppInstallationId)
 	updateSecretString(secret, "githubAppEnterpriseBaseUrl", repoCreds.GitHubAppEnterpriseBaseURL)
+	updateSecretString(secret, "proxy", repoCreds.Proxy)
 	addSecretMetadata(secret, common.LabelValueSecretTypeRepoCreds)
 }
 

util/db/repository_secrets_test.go

@@ -5,6 +5,7 @@ import (
 	"testing"
 
 	"context"
+
 	"github.com/stretchr/testify/assert"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
@@ -406,39 +407,82 @@ func TestSecretsRepositoryBackend_DeleteRepository(t *testing.T) {
 }
 
 func TestSecretsRepositoryBackend_CreateRepoCreds(t *testing.T) {
+
 	clientset := getClientset(map[string]string{})
 	testee := &secretsRepositoryBackend{db: &db{
 		ns:            testNamespace,
 		kubeclientset: clientset,
 		settingsMgr:   settings.NewSettingsManager(context.TODO(), clientset, testNamespace),
 	}}
 
-	input := &appsv1.RepoCreds{
-		URL:       "git@github.com:argoproj",
-		Username:  "someUsername",
-		Password:  "somePassword",
-		EnableOCI: true,
+	testCases := []struct {
+		name      string
+		repoCreds appsv1.RepoCreds
+		// Note: URL needs to be a different one for every testCase
+		// otherwise we would need to use the DeleteRepoCreds method to clean up the secret after each test
+		// which results in an unwanted dependency in a unit test
+	}{
+		{
+			name: "minimal_https_fields",
+			repoCreds: appsv1.RepoCreds{
+				URL:       "git@github.com:argoproj",
+				Username:  "someUsername",
+				Password:  "somePassword",
+				EnableOCI: true,
+			},
+		},
+		{
+			name: "with_proxy",
+			repoCreds: appsv1.RepoCreds{
+				URL:      "git@github.com:kubernetes",
+				Username: "anotherUsername",
+				Password: "anotherPassword",
+				Proxy:    "https://proxy.argoproj.io:3128",
+			},
+		},
 	}
 
-	output, err := testee.CreateRepoCreds(context.TODO(), input)
-	assert.NoError(t, err)
-	assert.Same(t, input, output)
-
-	secret, err := clientset.CoreV1().Secrets(testNamespace).Get(
-		context.TODO(),
-		RepoURLToSecretName(credSecretPrefix, input.URL),
-		metav1.GetOptions{},
-	)
-	assert.NotNil(t, secret)
-	assert.NoError(t, err)
-
-	assert.Equal(t, common.AnnotationValueManagedByArgoCD, secret.Annotations[common.AnnotationKeyManagedBy])
-	assert.Equal(t, common.LabelValueSecretTypeRepoCreds, secret.Labels[common.LabelKeySecretType])
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			output, err := testee.CreateRepoCreds(context.TODO(), &testCase.repoCreds)
+			assert.NoError(t, err)
+			assert.Same(t, &testCase.repoCreds, output)
+
+			secret, err := clientset.CoreV1().Secrets(testNamespace).Get(
+				context.TODO(),
+				RepoURLToSecretName(credSecretPrefix, testCase.repoCreds.URL),
+				metav1.GetOptions{},
+			)
+			assert.NotNil(t, secret)
+			assert.NoError(t, err)
+
+			assert.Equal(t, common.AnnotationValueManagedByArgoCD, secret.Annotations[common.AnnotationKeyManagedBy])
+			assert.Equal(t, common.LabelValueSecretTypeRepoCreds, secret.Labels[common.LabelKeySecretType])
+
+			// check every possible field of the secret if it has the same (default) value as the repoCred struct
+			// non-string fields must be parsed so that their default value matches the one of the corresponding type
+			assert.Equal(t, testCase.repoCreds.URL, string(secret.Data["url"]))
+			assert.Equal(t, testCase.repoCreds.Username, string(secret.Data["username"]))
+			assert.Equal(t, testCase.repoCreds.Password, string(secret.Data["password"]))
+			if enableOCI, err := strconv.ParseBool(string(secret.Data["githubAppPrivateKey"])); err == nil {
+				assert.Equal(t, strconv.FormatBool(testCase.repoCreds.EnableOCI), enableOCI)
+			}
+			assert.Equal(t, testCase.repoCreds.SSHPrivateKey, string(secret.Data["sshPrivateKey"]))
+			assert.Equal(t, testCase.repoCreds.TLSClientCertData, string(secret.Data["tlsClientCertData"]))
+			assert.Equal(t, testCase.repoCreds.TLSClientCertKey, string(secret.Data["tlsClientCertKey"]))
+			assert.Equal(t, testCase.repoCreds.Type, string(secret.Data["type"]))
+			assert.Equal(t, testCase.repoCreds.GithubAppPrivateKey, string(secret.Data["githubAppPrivateKey"]))
+			if githubAppPrivateKey, err := strconv.ParseInt(string(secret.Data["githubAppPrivateKey"]), 10, 64); err == nil {
+				assert.Equal(t, testCase.repoCreds.GithubAppId, githubAppPrivateKey)
+			}
+			if githubAppID, err := strconv.ParseInt(string(secret.Data["githubAppId"]), 10, 64); err == nil {
+				assert.Equal(t, testCase.repoCreds.GithubAppInstallationId, githubAppID)
+			}
+			assert.Equal(t, testCase.repoCreds.GitHubAppEnterpriseBaseURL, string(secret.Data["githubAppEnterpriseUrl"]))
+			assert.Equal(t, testCase.repoCreds.Proxy, string(secret.Data["proxy"]))
 
-	assert.Equal(t, input.URL, string(secret.Data["url"]))
-	assert.Equal(t, input.Username, string(secret.Data["username"]))
-	assert.Equal(t, input.Password, string(secret.Data["password"]))
-	assert.Equal(t, strconv.FormatBool(input.EnableOCI), string(secret.Data["enableOCI"]))
+		})
+	}
 }
 
 func TestSecretsRepositoryBackend_GetRepoCreds(t *testing.T) {