feat: make provider compatible with Argo CD 2.12

[the-technat]

Adds support for Argo CD 2.12 to the provider.

Changes:

• updates CI to test against current Argo CD 2.12 patch
• updates argo-cd client lib to current Argo CD 2.12 patch
• fixes acceptance tests that fail against Argo CD 2.12
• updates kind to v0.24.0 (unrelated)

[the-technat]

The test fails with a weird error. I assume code-changes are required to get this working. Will dig into it.

[the-technat]

Finally the TestAccArgoCDRepository_Helm succeeded after adding a trailing slash to one of the helm repos in the test manifest.

Now we have another error regarding this attribute check. Reading the repository we just created reveals all githubapp_* attributes unpopulated (after several reading retries in the code) and the connection status being not successful (what a surprise with fake values), thus the check fails. When looking at the K8s secret that Argo CD created, the dummy githubapp_* attributes are properly saved.

Did Argo CD 2.12 change the behaviour what is returned when the connection state is not successful? (in that case we could remove the attribute check).

Also this comment might be related.

@blakepettersson do you have an idea why Argo CD doesn't return these attributes on a created repository in 2.12?

[blakepettersson]

@the-technat I suspect the issue may be that within resourceArgoCDRepositoryRead you'd need to pass in the appproject pertaining to the repository, like this

	r, err := si.RepositoryClient.Get(ctx, &repository.RepoQuery{
		Repo:         d.Id(),
		ForceRefresh: true,
		AppProject:   project,
	})

(although IIRC this is only required if more than one repository is using the same repo url 🤔)

[the-technat]

I did some more investigations and think I have nailed the problem to something concrete here.

Reproduce

In the provider repo: ARGOCD_VERSION=v2.11.12 make testacc_prepare_env

Obtain a session token using:

export ARGOCD_TOKEN=$(curl -sSL -k \
  -X POST \
  -H "Content-type: application/json" \
  https://127.0.0.1:8080/api/v1/session \
  -d $'{"username":"admin","password":"acceptancetesting"}' \
 | jq '.token' \
 | tr -d '"')

Connect a repository using this command:

curl  -k -H "Content-type: application/json" \
  -H "Authorization: Bearer $ARGOCD_TOKEN" \
  https://127.0.0.1:8080/api/v1/repositories  \
  -d @repo.json

{
  "githubAppEnterpriseBaseUrl": "https://ghe.example.com/api/v3",
  "githubAppID": 123456,
  "githubAppInstallationID": 987654321,
  "githubAppPrivateKey": "-----BEGIN RSA PRIVATE KEY-----\nMIIEogIBAAKCAQEAzy5BqPJL78Igv0M9131OfQbCOUCJXYZsIs3Lx+24ITN2WPU5\nSYLH/kZs3z5LJ11IAySC8AHGJBKfcWbgAL7brqZEjfZafWjoC44tH4/iXj5g2GY6\nGtuaQUC4oVx5JHQMVDp3GCL/mk9XVARfg9/6J61mfsawMmyCq1tR8HrNmx6SJas6\nfYMIvxiMr8dufJnnV15U1RTiztZJZXtJWtUTfU1n6OQf48MPe0PQA4k2GyP7CbIL\nJKuj3TXI8R7FpsXocZ+aVLaKkA7PqbpxqjhRYeaFkkwJ5WS6UTMid2XOwAudl2iq\nNNYd6ebg3M8siMiimn3PGgWlXlIxQ6qlq0Bq5QIDAQABAoIBAF/9MnawK/adnsZ+\nxPw+FktfAkW8XOh0C03kw3GR9imLyl1U4IHqkfaBcpfMKM3ILkEmfXPtnnvAFRdZ\nbpdp1iaI6mJLrYlFPZ189fMVmu/HPt+EHY+sB0AMWH6KdaYqDjxICj2omXxJHlDS\n5d4Xu7L+Z+p8682w8Kmr2b7tZq1jGlZJNM+TOEpVyBMOvx4ZDWVd7w3kmqSH25Ki\nnaAUyPA54KZSOWZhkqWIBhHvzz90jiAorwbA6QSmDji9410xeQHtKmxfLMvoVK8C\n1/UVvSk0dD7v9lCHG8GAjUlEETildG2O3KyqA2Axfnrz/tfpUG+hmxqVIVbwMUCC\nfgNsF4ECgYEA+/3ryuDbDX+0C6EFuVTi6jVo00K55miCe//zVBXFJzWfhAOGVEuA\n4VA48CWtVjEE1E7mI1mMYUBz3UOEN8F/D0H9beI9QtCaoz/XoCtXfCFuJkXGecpH\nTo3ZRfWfPH5iEqY7YEB9kWjTPK9LX7zCF0EGcpflzQIqEZLEz1eb1NkCgYEA0nne\ntLTEyHIp56xTaU1qviY2wkGOJBVeSiepnNKDwb7NjMBHgYgLvawDy7d/qbE7D8Hs\nHm5qOxzIPI8MeTr/GTu43fVGt8mHHxke48ZTTrwww3+cr+dWG92NVamXrHzknk7e\nWwXcGz1rM0yfEVNCEISmUOfVnnR+HmdQWbvMju0CgYAeseR59v/X2hllXTzkQWnO\nm6jkKvmYDlzum9PZBznXt9lxbDh9piDR0ULORdiiaiAreFziK3NFGWPDrQi6/e/r\nPN+Q9gD+VYiwoAM0+HKUpUHUmaU+ipw6/l5b/jpiVQa/PM54wAJLpxgsCTJGPCjs\nSjht1wDgAwZ604TzuLk7qQKBgEgtNqvtWZYLYEdsFuaDf9lZLWoMJPxGv6DaXRXE\nMx6bmc1smpjW2H/gnySa9pJwjnpm29vLrW47/oaV34crLhOvIUQsOmYIG+gUKz2c\n4zCa5HYGKus/f43que7oS3UBFz0aerHoHoTQ2RQscFf2ny8e7hHMjrrZ4+31K965\nwfo5AoGAPm6SVmM3DAOiP0hntJk5tFj1VonePFM6qUycPUKyg1CxlOSlA4HcPbhb\n3uCXoSZa+cLUEZ7eO7I41sQlndXr4CRCdd68bW3ZCyYJuHxDHlA/yzgc3xWKb9Jz\nxSpPFKrgWsBd1llTHK0zCB53unPBQB7DJW3XL5/z8o5pOyDhf1A=\n-----END RSA PRIVATE KEY-----\n",
  "project": "default",
  "repo": "https://private-git-repository.argocd.svc.cluster.local/project-1.git",
  "type": "git"
} 

Note: the dummy-data for this repo are taken from the failed acceptance test.

Then get the same repository using this command:

curl -k -H "Content-type: application/json" \
  -H "Authorization: Bearer $ARGOCD_TOKEN" \
  https://127.0.0.1:8080/api/v1/repositories/https%3A%2F%2Fprivate-git-repository.argocd.svc.cluster.local%2Fproject-1.git

Reponse from 2.12.7:

{
  "repo": "https://private-git-repository.argocd.svc.cluster.local/project-1.git",
  "connectionState": {
    "status": "Failed",
    "message": "Unable to connect to repository: rpc error: code = Unknown desc = error testing repository connectivity: could not refresh installation id 987654321's token: could not get access_tokens from GitHub API for installation ID 987654321: dial tcp: lookup ghe.example.com on 10.96.0.10:53: no such host",
    "attemptedAt": "2024-11-17T10:55:07Z"
  },
  "type": "git",
  "project": "default"
}

Response from 2.11.12:

{
  "repo": "https://private-git-repository.argocd.svc.cluster.local/project-1.git",
  "connectionState": {
    "status": "Failed",
    "message": "Unable to connect to repository: rpc error: code = Unknown desc = error testing repository connectivity: could not refresh installation id 987654321's token: could not get access_tokens from GitHub API for installation ID 987654321: dial tcp: lookup ghe.example.com on 10.96.0.10:53: no such host",
    "attemptedAt": "2024-11-17T10:59:23Z"
  },
  "type": "git",
  "githubAppID": 123456,
  "githubAppInstallationID": 987654321,
  "githubAppEnterpriseBaseUrl": "https://ghe.example.com/api/v3",
  "project": "default"
}

Analysis

As one can see 2.11.12 returns the githubApp* parameters while 2.12.7 doesn't.

Reading the release notes that changed between 2.11 and 2.12 the following change seems related: cluster-secret-scoping-changes but hasn't been verified so far.

Other things I tried so far:

• Add ?appProject=default to the GET call -> same result
• omit the project field when creating the repository -> fails immediately with the same connection status as shown in the GET call

This leaves me with the question how to proceed with our tests in the provider:

1. omit the check that verifies that githubAppEnterpriseBaseUrl is set
2. add a diff-ignore that ignores this value being unset on a repository read
3. this is a bug in Argo CD?

[blakepettersson]

See argoproj/argo-cd#20991

[blakepettersson]

@the-technat try out 2.12.8

[the-technat]

@blakepettersson with v2.12.8 the tests finally pass!