feat: plugins as services

[Joibel]

This commit makes the repo server able to use cmp plugins via kubernetes services.

Closes #14132 - read that for details of the design

Some discussion points for this PR:

• Plugin name: Currently determined by the port name in the service. One service can have many ports, and this feels somewhat useful, so I chose the port name. My guess is the correct thing to do is add another gRPC call, which could also return the parameters (future UI work could then expose them for those people who use it to create apps). We'd then query on first noticing and then poll every 30 seconds. I'd like feedback on whether this is the right approach and desired - if so I'll add it.
• We cache the service list, but not the sidecar list. I'm assuming some plugins could take time to initialise, so may not have created a socket file in time for a cache at startup approach. It would be trivial to switch though.
• SA Token + role + rolebindings in the repo server: I've added it as default mounted now because it makes service plugins just work. Happy not to do this though.
• Namespace configuration for where to find services is via en environment variable. I didn't originally propose it, but I think it's the right approach now.
• No tests written yet whilst we ascertain what we want.

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• The title of the PR conforms to the Toolchain Guide
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).
• My new feature complies with the feature status guidelines.
• I have added a brief description of why this PR is necessary and/or what this PR solves.
• Optional. My organization is added to USERS.md.
• Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

[tico24]

Some docs change requests

[tico24]

minor nit

[codecov]

Codecov Report

Attention: Patch coverage is 21.64502% with 181 lines in your changes are missing coverage. Please review.

Project coverage is 49.10%. Comparing base (397063f) to head (df2caf8).
Report is 106 commits behind head on master.

❗ Current head df2caf8 differs from pull request most recent head 42761cf. Consider uploading reports for the commit 42761cf to get more accurate results

Files	Patch %	Lines
util/app/discovery/services.go	0.00%	81 Missing ⚠️
util/app/discovery/plugin.go	32.91%	52 Missing and 1 partial ⚠️
util/app/discovery/discovery.go	27.90%	31 Missing ⚠️
reposerver/repository/repository.go	38.88%	11 Missing ⚠️
cmd/argocd/commands/app.go	0.00%	5 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #16852      +/-   ##
==========================================
- Coverage   49.21%   49.10%   -0.12%     
==========================================
  Files         274      276       +2     
  Lines       48111    48276     +165     
==========================================
+ Hits        23677    23704      +27     
- Misses      22090    22227     +137     
- Partials     2344     2345       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[crenshaw-dev]

Overall, I'm liking the ideas.

I do think we should implement some form of auth on v1. Other unauth'ed components are a problem, and it's difficult to retroactively add that.

I also think some of the new files could use more test coverage.

But generally, looking good!

[Joibel]

How about this thing from above:
"Plugin name: Currently determined by the port name in the service. One service can have many ports, and this feels somewhat useful, so I chose the port name. My guess is the correct thing to do is add another gRPC call, which could also return the parameters (future UI work could then expose them for those people who use it to create apps). We'd then query on first noticing and then poll every 30 seconds. I'd like feedback on whether this is the right approach and desired - if so I'll add it."

Do you have ideas on how you'd like auth to work?

[crenshaw-dev]

Might have to hop on a call to 100% understand the port issue. Gotta focus on ArgoCon stuff for now.

re: auth - I think we should probably ask the user to generate a Secret and mount it to the FS of both the repo-server and the plugins. The plugin server would require that the password be present in gRPC call metadata for every call.

[Joibel]

This is ready for re-review. The CI license check is failing, but it is for everything these days.

[jsoref]

As someone who spends an inordinate amount of time reading error messages that involve lousy inputs (especially leading/trailing whitespace), I'd like to encourage people to consistently wrap string variables in a quotation character.

Suggested change

	log.Errorf("No authentication secret present at %s", path)
	log.Errorf("No authentication secret present at '%s'", path)

Note: ideally argocd would be consistent about whether it's using ", ', or "`", but it isn't right now, so if you pick the one that is used the most or by things closest to this code, that'd be great.

[jsoref]

Can you add a newline at EOF? (I'm not sure how to get github to let me suggest this...)

[jsoref]

If address has a risk of having garbage characters, then quotes would be good. I'm assuming that type is a relatively constrained thing and thus shouldn't need them.

[jsoref]

Unless there's a stylistic thing for the double space here...

Suggested change

	// wrappedStream wraps around the embedded grpc.ClientStream, and intercepts the RecvMsg and
	// wrappedStream wraps around the embedded grpc.ClientStream, and intercepts the RecvMsg and

[jsoref]

This should make the linter happy:

Suggested change

	path := fmt.Sprintf(filepath.Join(root, tryPath, common.PluginAuthSecretName))
	path := filepath.Join(root, tryPath, common.PluginAuthSecretName)

The alternative would be:

		path := fmt.Sprintf("%s", filepath.Join(root, tryPath, common.PluginAuthSecretName))

The current code is risky in C languages if someone could construct root, tryPath, or common.PluginAuthSecretName to include %... (I expect go might not count as a C language here, but it's good practice to avoid risky style...)

[jsoref]

I'd probably want quotes around %s.

I'm not sure what parents is in context. (It's also possible it needs a possessive ' marker.)

[jsoref]

Suggested change

	// PluginAuthTokenHeader is the name of the header to be used for auth. It must be lower case.
	// PluginAuthTokenHeader is the name of the header to be used for auth. It must be lowercase.

[jsoref]

Suggested change

	2. The argocd-repo-server's service account has a role binding allowing `get`, `list` and `watch` on services.
	2. The argocd-repo-server's service account has a role binding allowing `get`, `list` and `watch` on services.