feat: add google cloud source repo support (argoproj#7534) (argoproj#…

…11618) * feat: Add support for cloning Google Cloud Source repos (argoproj#7534) * Google Cloud service account auth Signed-off-by: David Becher <becher.david@googlemail.com> * fix: Fill missing struct field (GCP SA key) in cli cmd Signed-off-by: David Becher <becher.david@googlemail.com> * fix(ui): Add proxy option when configuring Google Cloud Source repo Signed-off-by: David Becher <becher.david@googlemail.com> * fix: Remove secret (GCP SA key) in Get server req Signed-off-by: David Becher <becher.david@googlemail.com> * refactor: Do not use context.WithTimeout for Google creds As the context is used in the background to refresh credentials, it should not be cancelled. Signed-off-by: David Becher <becher.david@googlemail.com> * fix: Use proxy setting only in repo-service, not repocreds-service Signed-off-by: David Becher <becher.david@googlemail.com> * test: Create tests for GoogleCloudCreds This commit refactors the implementation of GoogleCloudCreds in order to make its methods testable. Signed-off-by: David Becher <becher.david@googlemail.com> * fix: Linting issues Signed-off-by: David Becher <becher.david@googlemail.com> * chore: Fix typo in docs. Signed-off-by: David Becher <becher.david@googlemail.com> * chore: Adjust url-allow-list for lint-docs action Signed-off-by: David Becher <becher.david@googlemail.com> * chore: Incorporate suggested refactorings Signed-off-by: David Becher <becher.david@googlemail.com> * Delete url-allow-list Signed-off-by: Alex Eftimie <alex.eftimie@getyourguide.com> * wrap errors Signed-off-by: Alex Eftimie <alex.eftimie@getyourguide.com> * More UI goodies and codegen Signed-off-by: Alex Eftimie <alex.eftimie@getyourguide.com> * Update docs screenshots Signed-off-by: Alex Eftimie <alex.eftimie@getyourguide.com> * move interface up next to other interfaces Signed-off-by: Alex Eftimie <alex.eftimie@getyourguide.com> * Reduce png size Signed-off-by: Alex Eftimie <alex.eftimie@getyourguide.com> * update generated Signed-off-by: Alex Eftimie <alex.eftimie@getyourguide.com> * fix whitespace from codegen Signed-off-by: Alex Eftimie <alex.eftimie@getyourguide.com> Signed-off-by: David Becher <becher.david@googlemail.com> Signed-off-by: Alex Eftimie <alex.eftimie@getyourguide.com> Co-authored-by: David Becher <becher.david@googlemail.com> Signed-off-by: schakrad <chakradari.sindhu@gmail.com>
schakrad · Mar 14, 2023 · ed34317 · ed34317
1 parent 09e5945
commit ed34317
Show file tree

Hide file tree

Showing 29 changed files with 1,264 additions and 675 deletions.
diff --git a/assets/swagger.json b/assets/swagger.json
@@ -3424,6 +3424,12 @@
             "description": "Reference between project and repository that allow you automatically to be added as item inside SourceRepos project entity.",
             "name": "project",
             "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "Google Cloud Platform service account key.",
+            "name": "gcpServiceAccountKey",
+            "in": "query"
           }
         ],
         "responses": {
@@ -7171,6 +7177,10 @@
           "type": "boolean",
           "title": "EnableOCI specifies whether helm-oci support should be enabled for this repo"
         },
+        "gcpServiceAccountKey": {
+          "type": "string",
+          "title": "GCPServiceAccountKey specifies the service account key in JSON format to be used for getting credentials to Google Cloud Source repos"
+        },
         "githubAppEnterpriseBaseUrl": {
           "type": "string",
           "title": "GithubAppEnterpriseBaseURL specifies the GitHub API URL for GitHub app authentication. If empty will default to https://api.github.com"
@@ -7253,6 +7263,10 @@
           "type": "boolean",
           "title": "EnableOCI specifies whether helm-oci support should be enabled for this repo"
         },
+        "gcpServiceAccountKey": {
+          "type": "string",
+          "title": "GCPServiceAccountKey specifies the service account key in JSON format to be used for getting credentials to Google Cloud Source repos"
+        },
         "githubAppEnterpriseBaseUrl": {
           "type": "string",
           "title": "GithubAppEnterpriseBaseURL specifies the base URL of GitHub Enterprise installation. If empty will default to https://api.github.com"

diff --git a/cmd/argocd/commands/repo.go b/cmd/argocd/commands/repo.go
@@ -70,6 +70,9 @@ func NewRepoAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 
   # Add a private Git repository on GitHub Enterprise via GitHub App
   argocd repo add https://ghe.example.com/repos/repo --github-app-id 1 --github-app-installation-id 2 --github-app-private-key-path test.private-key.pem --github-app-enterprise-base-url https://ghe.example.com/api/v3
+
+  # Add a private Git repository on Google Cloud Sources via GCP service account credentials
+  argocd repo add https://source.developers.google.com/p/my-google-cloud-project/r/my-repo --gcp-service-account-key-path service-account-key.json
 `
 
 	var command = &cobra.Command{
@@ -135,6 +138,17 @@ func NewRepoAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 				}
 			}
 
+			if repoOpts.GCPServiceAccountKeyPath != "" {
+				if git.IsHTTPSURL(repoOpts.Repo.Repo) {
+					gcpServiceAccountKey, err := os.ReadFile(repoOpts.GCPServiceAccountKeyPath)
+					errors.CheckError(err)
+					repoOpts.Repo.GCPServiceAccountKey = string(gcpServiceAccountKey)
+				} else {
+					err := fmt.Errorf("--gcp-service-account-key-path is only supported for HTTPS repositories")
+					errors.CheckError(err)
+				}
+			}
+
 			// Set repository connection properties only when creating repository, not
 			// when creating repository credentials.
 			// InsecureIgnoreHostKey is deprecated and only here for backwards compat
@@ -184,6 +198,7 @@ func NewRepoAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 				GithubAppEnterpriseBaseUrl: repoOpts.Repo.GitHubAppEnterpriseBaseURL,
 				Proxy:                      repoOpts.Proxy,
 				Project:                    repoOpts.Repo.Project,
+				GcpServiceAccountKey:       repoOpts.Repo.GCPServiceAccountKey,
 			}
 			_, err := repoIf.ValidateAccess(ctx, &repoAccessReq)
 			errors.CheckError(err)

diff --git a/cmd/argocd/commands/repocreds.go b/cmd/argocd/commands/repocreds.go
@@ -39,12 +39,13 @@ func NewRepoCredsCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command
 // NewRepoCredsAddCommand returns a new instance of an `argocd repocreds add` command
 func NewRepoCredsAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
-		repo                    appsv1.RepoCreds
-		upsert                  bool
-		sshPrivateKeyPath       string
-		tlsClientCertPath       string
-		tlsClientCertKeyPath    string
-		githubAppPrivateKeyPath string
+		repo                     appsv1.RepoCreds
+		upsert                   bool
+		sshPrivateKeyPath        string
+		tlsClientCertPath        string
+		tlsClientCertKeyPath     string
+		githubAppPrivateKeyPath  string
+		gcpServiceAccountKeyPath string
 	)
 
 	// For better readability and easier formatting
@@ -62,6 +63,9 @@ func NewRepoCredsAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comma
 
   # Add credentials with helm oci registry so that these oci registry urls do not need to be added as repos individually.
   argocd repocreds add localhost:5000/myrepo --enable-oci --type helm 
+
+  # Add credentials with GCP credentials for all repositories under https://source.developers.google.com/p/my-google-cloud-project/r/
+  argocd repocreds add https://source.developers.google.com/p/my-google-cloud-project/r/ --gcp-service-account-key-path service-account-key.json
 `
 
 	var command = &cobra.Command{
@@ -127,6 +131,18 @@ func NewRepoCredsAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comma
 				}
 			}
 
+			// Specifying gcpServiceAccountKeyPath is only valid for HTTPS repositories
+			if gcpServiceAccountKeyPath != "" {
+				if git.IsHTTPSURL(repo.URL) {
+					gcpServiceAccountKey, err := os.ReadFile(gcpServiceAccountKeyPath)
+					errors.CheckError(err)
+					repo.GCPServiceAccountKey = string(gcpServiceAccountKey)
+				} else {
+					err := fmt.Errorf("--gcp-service-account-key-path is only supported for HTTPS repositories")
+					errors.CheckError(err)
+				}
+			}
+
 			conn, repoIf := headless.NewClientOrDie(clientOpts, c).NewRepoCredsClientOrDie()
 			defer io.Close(conn)
 
@@ -158,6 +174,7 @@ func NewRepoCredsAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comma
 	command.Flags().BoolVar(&upsert, "upsert", false, "Override an existing repository with the same name even if the spec differs")
 	command.Flags().BoolVar(&repo.EnableOCI, "enable-oci", false, "Specifies whether helm-oci support should be enabled for this repo")
 	command.Flags().StringVar(&repo.Type, "type", common.DefaultRepoType, "type of the repository, \"git\" or \"helm\"")
+	command.Flags().StringVar(&gcpServiceAccountKeyPath, "gcp-service-account-key-path", "", "service account key for the Google Cloud Platform")
 	return command
 }
 

diff --git a/cmd/util/repo.go b/cmd/util/repo.go
@@ -22,6 +22,7 @@ type RepoOptions struct {
 	GithubAppPrivateKeyPath        string
 	GitHubAppEnterpriseBaseURL     string
 	Proxy                          string
+	GCPServiceAccountKeyPath       string
 }
 
 func AddRepoFlags(command *cobra.Command, opts *RepoOptions) {
@@ -42,4 +43,5 @@ func AddRepoFlags(command *cobra.Command, opts *RepoOptions) {
 	command.Flags().StringVar(&opts.GithubAppPrivateKeyPath, "github-app-private-key-path", "", "private key of the GitHub Application")
 	command.Flags().StringVar(&opts.GitHubAppEnterpriseBaseURL, "github-app-enterprise-base-url", "", "base url to use when using GitHub Enterprise (e.g. https://ghe.example.com/api/v3")
 	command.Flags().StringVar(&opts.Proxy, "proxy", "", "use proxy to access repository")
+	command.Flags().StringVar(&opts.GCPServiceAccountKeyPath, "gcp-service-account-key-path", "", "service account key for the Google Cloud Platform")
 }
diff --git a/docs/assets/repo-add-google-cloud-source.png b/docs/assets/repo-add-google-cloud-source.png
diff --git a/docs/assets/repo-add-overview.png b/docs/assets/repo-add-overview.png
diff --git a/docs/operator-manual/declarative-setup.md b/docs/operator-manual/declarative-setup.md
@@ -255,6 +255,33 @@ stringData:
     -----END OPENSSH PRIVATE KEY-----
 ```
 
+Example for Google Cloud Source repositories:
+
+```yaml
+kind: Secret
+metadata:
+  name: github-repo
+  namespace: argocd
+  labels:
+    argocd.argoproj.io/secret-type: repository
+stringData:
+  type: git
+  repo: https://source.developers.google.com/p/my-google-project/r/my-repo
+  gcpServiceAccountKey: |
+    {
+      "type": "service_account",
+      "project_id": "my-google-project",
+      "private_key_id": "REDACTED",
+      "private_key": "-----BEGIN PRIVATE KEY-----\nREDACTED\n-----END PRIVATE KEY-----\n",
+      "client_email": "argocd-service-account@my-google-project.iam.gserviceaccount.com",
+      "client_id": "REDACTED",
+      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+      "token_uri": "https://oauth2.googleapis.com/token",
+      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+      "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/argocd-service-account%40my-google-project.iam.gserviceaccount.com"
+    }
+```
+
 !!! tip
     The Kubernetes documentation has [instructions for creating a secret containing a private key](https://kubernetes.io/docs/concepts/configuration/secret/#use-case-pod-with-ssh-keys).
 

diff --git a/docs/user-guide/commands/argocd_admin_repo_generate-spec.md b/docs/user-guide/commands/argocd_admin_repo_generate-spec.md
@@ -38,6 +38,7 @@ argocd admin repo generate-spec REPOURL [flags]
 ```
       --enable-lfs                              enable git-lfs (Large File Support) on this repository
       --enable-oci                              enable helm-oci (Helm OCI-Based Repository)
+      --gcp-service-account-key-path string     service account key for the Google Cloud Platform
       --github-app-enterprise-base-url string   base url to use when using GitHub Enterprise (e.g. https://ghe.example.com/api/v3
       --github-app-id int                       id of the GitHub Application
       --github-app-installation-id int          installation id of the GitHub Application

diff --git a/docs/user-guide/commands/argocd_repo_add.md b/docs/user-guide/commands/argocd_repo_add.md
@@ -36,13 +36,17 @@ argocd repo add REPOURL [flags]
   # Add a private Git repository on GitHub Enterprise via GitHub App
   argocd repo add https://ghe.example.com/repos/repo --github-app-id 1 --github-app-installation-id 2 --github-app-private-key-path test.private-key.pem --github-app-enterprise-base-url https://ghe.example.com/api/v3
 
+  # Add a private Git repository on Google Cloud Sources via GCP service account credentials
+  argocd repo add https://source.developers.google.com/p/my-google-cloud-project/r/my-repo --gcp-service-account-key-path service-account-key.json
+
 ```
 
 ### Options
 
 ```
       --enable-lfs                              enable git-lfs (Large File Support) on this repository
       --enable-oci                              enable helm-oci (Helm OCI-Based Repository)
+      --gcp-service-account-key-path string     service account key for the Google Cloud Platform
       --github-app-enterprise-base-url string   base url to use when using GitHub Enterprise (e.g. https://ghe.example.com/api/v3
       --github-app-id int                       id of the GitHub Application
       --github-app-installation-id int          installation id of the GitHub Application

diff --git a/docs/user-guide/commands/argocd_repocreds_add.md b/docs/user-guide/commands/argocd_repocreds_add.md
@@ -24,12 +24,16 @@ argocd repocreds add REPOURL [flags]
   # Add credentials with helm oci registry so that these oci registry urls do not need to be added as repos individually.
   argocd repocreds add localhost:5000/myrepo --enable-oci --type helm 
 
+  # Add credentials with GCP credentials for all repositories under https://source.developers.google.com/p/my-google-cloud-project/r/
+  argocd repocreds add https://source.developers.google.com/p/my-google-cloud-project/r/ --gcp-service-account-key-path service-account-key.json
+
 ```
 
 ### Options
 
 ```
       --enable-oci                              Specifies whether helm-oci support should be enabled for this repo
+      --gcp-service-account-key-path string     service account key for the Google Cloud Platform
       --github-app-enterprise-base-url string   base url to use when using GitHub Enterprise (e.g. https://ghe.example.com/api/v3
       --github-app-id int                       id of the GitHub Application
       --github-app-installation-id int          installation id of the GitHub Application

diff --git a/docs/user-guide/private-repositories.md b/docs/user-guide/private-repositories.md
@@ -134,6 +134,33 @@ Using the UI:
 !!!note
     When pasting GitHub App private key in the UI, make sure there are no unintended line breaks or additional characters in the text area
 
+### Google Cloud Source
+
+Private repositories hosted on Google Cloud Source can be accessed using Google Cloud service account key in JSON format. Consult [Google Cloud documentation](https://cloud.google.com/iam/docs/creating-managing-service-accounts) on how to create a service account.
+
+!!!note
+    Ensure your application has at least `Source Repository Reader` permissions for the Google Cloud project. This is the minimum requirement.
+
+You can configure access to your Git repository hosted on Google Cloud Source using the CLI or the UI.
+
+Using the CLI:
+
+```
+argocd repo add https://source.developers.google.com/p/my-google-cloud-project/r/my-repo --gcp-service-account-key-path service-account-key.json
+```
+
+Using the UI:
+
+1. Navigate to `Settings/Repositories`
+
+   ![connect repo overview](../assets/repo-add-overview.png)
+
+1. Click `Connect Repo using Google Cloud Source` button, enter the URL and the Google Cloud service account in JSON format.
+
+   ![connect repo](../assets/repo-add-google-cloud-source.png)
+
+1. Click `Connect` to test the connection and have the repository added
+
 ## Credential templates
 
 You can also set up credentials to serve as templates for connecting repositories, without having to repeat credential configuration. For example, if you setup credential templates for the URL prefix `https://github.com/argoproj`, these credentials will be used for all repositories with this URL as prefix (e.g. `https://github.com/argoproj/argocd-example-apps`) that do not have their own credentials configured.