feat: allow argocd-cm to reference K8S Secrets (#4188)

[nbendafi-yseop]

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Optional. My organization is added to USERS.md.
• I've signed the CLA and my build is green (troubleshooting builds).

[codecov-commenter]

Codecov Report

Merging #4342 (80e915f) into master (083390e) will increase coverage by 0.01%.
The diff coverage is 55.55%.

@@            Coverage Diff             @@
##           master    #4342      +/-   ##
==========================================
+ Coverage   41.30%   41.31%   +0.01%     
==========================================
  Files         156      156              
  Lines       20702    20709       +7     
==========================================
+ Hits         8550     8556       +6     
+ Misses      10944    10942       -2     
- Partials     1208     1211       +3     

Impacted Files	Coverage Δ
util/settings/settings.go	47.36% <55.55%> (+0.36%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 083390e...80e915f. Read the comment docs.

[nbendafi-yseop]

This PR might also address #4052 and allow arbitrary Kubernetes Secret to be referenced and used in argocd-cm ConfigMap.
It allow definition of any entry such as

XXXSecretRef:
  name: <my secret>
  key: <key in my secret'data>

that we look for recursively in argocd-cm and output

XXX: <secret found in my secret> 

So with following example (which is slightly modified form of proposal of #4188), assuming we have

data:
  url: https://argocd.example.com

  dex.config: |
    connectors:
      # GitHub example
      - type: github
        id: github
        name: GitHub
        config:
          clientID: aabbccddeeff00112233
          clientSecretSecretRef: # Note the SecretRef prefix
            name: whatever
            key: myGitHubClientSecret
          orgs:
          - name: your-github-org
  oidcConfig: |
      name: SSO
      clientID: argocd
      clientSecretSecretRef: # Note the SecretRef prefix
        name: whatever
        key: mySSOClientSecret 

in argocd-cm
and a whatever Kubernetes Secret like

data:
  myGitHubClientSecret: a-value
  mySSOClientSecret: another-value

will produce

data:
  url: https://argocd.example.com

  dex.config: |
    connectors:
      # GitHub example
      - type: github
        id: github
        name: GitHub
        config:
          clientID: aabbccddeeff00112233
          clientSecret: a-value
          orgs:
          - name: your-github-org
  oidcConfig: |
    name: SSO
    clientID: argocd
    clientSecret: another-value

[alexmt]

Thanks for the PR @nbendafi-yseop ! Added two enhancement proposals.

[alexmt]

Argo CD executes getConfigMap method very frequently. It is too expensive to make K8S API request. Please use mgr.GetSecretsLister instead:

lister, err := mgr.GetSecretsLister()
if err != nil {
  return nil
}
lister.Secrets(mgr.namespace).Get(secretRef.Name)

As a side effect, each referenced secret must have "app.kubernetes.io/part-of": "argocd" label but I cannot see any other way to avoid performance degradation.

[nbendafi-yseop]

I think we can live with it. Even if secrets are not withing argocd-secret K8S secret, they are still part-of argocd. I'll update my code (and tests) accordingly.

[nbendafi-yseop]

After further testing, looks like "app.kubernetes.io/part-of": "argocd" only applies to ArgoCD ConfigMap, meaning lister.Secrets is able to look for K8S Secret even if they are not label with "app.kubernetes.io/part-of": "argocd" . But I might be wrong.

[alexmt]

Argo CD already supports referencing values from argocd-secret Secret. E.g. $dex.github.clientSecret. Can we keep using similar syntax for consistency. For example: $<secretName>:<key>. where <secretName> is optional secret name.

In this case secret sample config would looks like following:

        config:
            clientID: aabbccddeeff00112233
            clientSecret: $google:clientSecret

It is safe to use : as a delimiter since it cannot be used in secret name/secret data key.

[nbendafi-yseop]

I can understand the need for consistency. Here, I just wanted to be closer to SecretKeySelector type that exists in Kubernetes (cf. https://github.com/kubernetes/api/blob/master/core/v1/types.go#L1984) or in FluxCD's helm-operator (cf. https://github.com/fluxcd/helm-operator/blob/68de5288b733c42a316e03f9c01e7505cd6985b3/pkg/apis/helm.fluxcd.io/v1/types.go#L48).

I'm relatively new in this world, so I do not really have arguments against your proposal.

(And we do ArcgoCD here, not FluxCD 😄 )

[ArgTang]

@alexmt do you have time for another review? This would make it eaiser setup when integrating with oauth providers

[sbose78]

Could you please add this change in a different PR ? :)

[nbendafi-yseop]

If that can make a difference, I've removed it from this PR.

[sbose78]

• Could you please add PR description explaining the rationale of this change?
• If this needs docs changes, could you add those to this PR too, please?

[sbose78]

Sorry, I'm having a hard time understanding the "why" of this PR :-)

Are we switching from $google.clientSecret to $google:clientSecret ?

[nbendafi-yseop]

Hello. The why is #4188 (as referred to the title of current PR).

To summarise, one would refer to secret that live outside of argocd-secret K8S Secret's data.

I'm not switching, rather adding another syntax.

Explanation by example (the one in settings_test is not obvious apparently), to clear the things out:

• As defined (and limited by) in current documentation:

apiVersion: v1
kind: Secret
metadata:
  name: argocd-secret
  namespace: argocd
  labels:
    app.kubernetes.io/name: argocd-secret
    app.kubernetes.io/part-of: argocd
type: Opaque
data:
  ...
  # Store client secret like below.
  # Ensure the secret is base64 encoded
  oidc.auth0.clientSecret: <client-secret-base64-encoded>
  ...
...
apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
  labels:
    app.kubernetes.io/name: argocd-cm
    app.kubernetes.io/part-of: argocd
data:
  ...
  oidc.config: |
    name: Auth0
    clientID: aabbccddeeff00112233
    # Reference key in argocd-secret
    clientSecret: $oidc.auth0.clientSecret

so in clientSecret: $oidc.auth0.clientSecret, oidc... should be in argocd-secret's data, right ?

• Now (after this PR, I mean), we can also have

apiVersion: v1
kind: Secret
metadata:
 name: another-secret # that is not _handled_ by Argocd, and eventually synced by tools such as External-secret
data:
 ...
 # Store client secret like below.
 # Ensure the secret is base64 encoded
 oidc.auth0.clientSecret: <client-secret-base64-encoded>
...
apiVersion: v1
kind: ConfigMap
metadata:
 name: argocd-cm
data:
 ...
 oidc.config: |
   name: Auth0
   clientID: aabbccddeeff00112233
   # Reference key in argocd-secret
   clientSecret: $another-secret:oidc.auth0.clientSecret

where oidc.auth0.clientSecret is in data field of another K8S secret.

I was personally motivated to answer this issue because we have tool that sync secrets with external secret management tool (such as Vault or AWS secret manager) and periodically updates the whole K8S Secret which have the effect to be override the content of argocd-secret that ArgoCD updates as well (with its admin password, its certificates...)
So, yes, it indeed lakes of some documentation; that I'm gonna add.

[sbose78]

This makes sense, thank you very much!

[elocke]

any updates for this PR? We just ran into this problem with kubernetes-external-secrets and SSO config.

[nbendafi-yseop]

@sbose78 Hi. Is there any chance to see this PR landing soon, to solve #4188, #4052, and now #5944 ? Or please let me know if any code update is needed.

[mhaddon]

It would be nice if this PR did not die, it would make ArgoCD integrate with the Keycloak Operator nicely.

[MatteoJoliveau]

@alexmt @sbose78 I understand the team has limited bandwidth available and there is a lot of work to be done. What can we do to help move this PR forward? It is a very useful contribution that will greatly increase ArgoCD's flexibility and integration with the rest of the kube ecosystem

[alexmt]

Sorry for letting this PR slip. Looking at it this week.

[alexmt]

@nbendafi-yseop Sorry for the delay again. Better later than never.

I'm concerned that we start replacing secrets in all fields in Argo CD config map. It might cause unexpected side effects like white space removals etc.

I would like to propose a slightly different and safer implementation: change the existing GetSettings method to load secret values from multiple secrets, instead of only argocd-secret. So we don't have to touch replacing logic at all. I was not sure if it is possible so had to experiment and implemented changes in nbendafi-yseop#1

[alexmt]

Added one more comment about go linter failure. Also can you merge master to include documentation website build fix?

[alexmt]

Looks like linter is not happy because cm variable is no longer needed in test . Please remove lines 925~926.

[nbendafi-yseop]

✔️

[alexmt]

Thank you @nbendafi-yseop ! LGTM