feat: add OCI support for Argo CD sources#4354
Conversation
✅ Deploy Preview for zarf-docs canceled.
|
brandtkeller
left a comment
brandtkeller
left a comment
There was a problem hiding this comment.
Made a first pass - spent a healthy amount of time educating myself on argo further.
Left a nit that I think we can cleanup in a few places. Separately want to consider some additional scope for this change:
- E2E testing - unit tests get us some good feedback loops on the internal dependency and behaviors but this is largely an external integration. I would love to think about how we test this is operational.
- Documentation - right now this can be appending to the existing tutorial. There may be more opportunity for a more granular pass at argocd orchestration docs.
Two minor requests:
- Can you comment on an issue if/when you pick it up for work (or at least with the PR) - In doing so we can assign you and help prevent any colliding submissions (as well as remember to track for reviews on the project board.
- Add context to the PR description. It took me a fair bit of reading to tell that the associated issue was asking for a feature around oci registries when you actually solved for oci images. The former isn't actually as valid and you solved the problem correctly here IMO - but I had to hunt down the delta and process.
Thank you for the continued support and contributions - I very much appreciate it!
| patches = append(patches, operations.ReplacePatchOperation("/data/username", base64.StdEncoding.EncodeToString([]byte(gitServer.PullUsername)))) | ||
| patches = append(patches, operations.ReplacePatchOperation("/data/password", base64.StdEncoding.EncodeToString([]byte(gitServer.PullPassword)))) | ||
|
|
||
| if isOCI { |
There was a problem hiding this comment.
Nit: for code patterns used across zarf (of those replaced thus far) we have been upgrading to use the happy path is left-aligned concept whereby - when possible we process conditions and return early and avoid else returns.
robinlieb
force-pushed
the
feat/argocd-applications-oci-source
branch
2 times, most recently
from
ab7df2b to
9007e84
Compare
|
@brandtkeller thanks for the initial review. I added changes which addresses all of the mentioned points. For the other two points, will definitely keep that in mind for future work. Update: For the sake of proper documentation, should I create a new issue specifying the OCI support for manifests? |
|
The issue we might have with this is that ArgoCD will try to hit the registry over HTTPS. We were getting this in the Argo logs: Helm allows you to use http via: However it doesn't look like Argo exposes an option for that. It exposes a We're currently trying to work around this by putting an internal The easier option would be to have a HTTPS endpoint exposed on the zarf registry (just internally as a service not as an ingress/GatewayAPI route), even if it just uses a self-signed certificate. Not sure if that's a route we want to take though. |
robinlieb
force-pushed
the
feat/argocd-applications-oci-source
branch
2 times, most recently
from
1128adc to
a5388db
Compare
robinlieb
force-pushed
the
feat/argocd-applications-oci-source
branch
from
a5388db to
d159081
Compare
|
The failed pipeline Is probably related to the version bump of Argo CD, which throws an error with the gitea.localhost setup in the test. Not sure yet what exactly changed in Argo CD but will investigate further on how to resolve that. |
robinlieb
force-pushed
the
feat/argocd-applications-oci-source
branch
from
34ce98d to
c9b5774
Compare
|
External test fails because |
|
Thanks for the work on this @robinlieb. Out of curiosity, how did you work around ArgoCD forcing Helm to use HTTPS when interacting with OCI? We had to put a HTTPS proxy in place to work around that. |
|
@al-jeyapal setting |
Thanks @robinlieb I hadn't seen any references to that in the doco, but can see it in the code. Very helpful. I'm hoping to be rotated back onto the project later this month, so will aim to give it a go when next on. |
robinlieb
force-pushed
the
feat/argocd-applications-oci-source
branch
from
d993eff to
d707be0
Compare
robinlieb
force-pushed
the
feat/argocd-applications-oci-source
branch
2 times, most recently
from
c462f45 to
e933a52
Compare
robinlieb
force-pushed
the
feat/argocd-applications-oci-source
branch
3 times, most recently
from
c420e22 to
3790883
Compare
robinlieb
force-pushed
the
feat/argocd-applications-oci-source
branch
from
9f2f551 to
89261bc
Compare
|
Hey, I would really like to use this feature. Can I expect this feature to be in the next release? |
In review! Next release is tomorrow - so if not that release then the following. @robinlieb Can you update with main before I run CI? We had some changes that will likely make them fail if I run now. Review nearly complete. |
robinlieb
force-pushed
the
feat/argocd-applications-oci-source
branch
from
031366c to
4ab4033
Compare
@brandtkeller rebased. |
brandtkeller
left a comment
brandtkeller
left a comment
There was a problem hiding this comment.
I think there are tests implicitly passing with the argo package because we also have the git server configured (required for the package to fully deploy) and the corresponding logic can handle OCI - but when you disable the git server and remove the git-server related elements from the package it does not deploy the applications as expected.
There was a problem hiding this comment.
Doing some testing - Do we need to handle registry-only (OCI) for this resource?
There was a problem hiding this comment.
Unified the check to conform with applications. Added tests for that.
There was a problem hiding this comment.
Are there OCI implications that we need to consider here as well?
There was a problem hiding this comment.
Unified the check to conform with applications. Added tests for that.
robinlieb
force-pushed
the
feat/argocd-applications-oci-source
branch
from
8292b94 to
16cf0f1
Compare
brandtkeller
left a comment
brandtkeller
left a comment
There was a problem hiding this comment.
Some of my last comments (hopefully) - only other thing I was going to look at is where we landed for testing with the proxy init model and mTLS.
|
|
||
| const ( | ||
| // AgentErrTransformGitURL is thrown when the agent fails to make the git url a Zarf compatible url | ||
| AgentErrTransformGitURL = "unable to transform the git url" |
There was a problem hiding this comment.
nit: if we have these constants then they likeky qualify as good sentinel errors. I won't block on this.
| for idx, repo := range proj.Spec.SourceRepos { | ||
| patchedURL, err := getPatchedRepoURL(ctx, repo, s.GitServer) | ||
| patchedURL, err := getPatchedRepoURL(ctx, repo, registryAddress, clusterIP, s.GitServer, r) | ||
| // The AppProject can also include source repositories like '*' (as in the default project), |
There was a problem hiding this comment.
Something we should address in the near future is detecting wildcards before the patch operation. This current flow could open up quite a few avenues for unintended consequences on misconfiguration.
There was a problem hiding this comment.
This check is missing the asymmetry for both git server address and registry address. shouldMutateURL also performs this check in a sense. So I think we just need to resolve how and where to best perform that validation.
brandtkeller
left a comment
brandtkeller
left a comment
There was a problem hiding this comment.
Minor changes - please rebase with main and I'll kickoff CI and approve/advocate for second review. Appreciate the patience again.
Signed-off-by: Robin Lieb <[email protected]>
…tation Signed-off-by: Robin Lieb <[email protected]>
Signed-off-by: Robin Lieb <[email protected]>
Signed-off-by: Robin Lieb <[email protected]>
Signed-off-by: Robin Lieb <[email protected]>
Signed-off-by: Robin Lieb <[email protected]>
Signed-off-by: Robin Lieb <[email protected]>
robinlieb
force-pushed
the
feat/argocd-applications-oci-source
branch
from
a026906 to
64867ba
Compare
Co-authored-by: Brandt Keller <[email protected]> Signed-off-by: Robin Lieb <[email protected]>
Co-authored-by: Brandt Keller <[email protected]> Signed-off-by: Robin Lieb <[email protected]>
Co-authored-by: Brandt Keller <[email protected]> Signed-off-by: Robin Lieb <[email protected]>
Co-authored-by: Brandt Keller <[email protected]> Signed-off-by: Robin Lieb <[email protected]>
Rebased and proposed changes applied, thanks! |
5 participants
Description
This PR adds the capability to mutate OCI references in Argo CD resources and replaces the given OCI reference to the Zarf registry URL.
This change adds the possibility to use Manifest and Helm Charts in the repoURL in the Application, like explained in the OCI Docs in Argo CD with the first two examples. To archive that it also changes the patching of the URL in repository secrets to use the registry instead of the git server if oci is used.
Additionally, added the patching of the repo url for Argo CD repo-creds secret type.
Related Issue
Relates to #3046
Checklist before merging