Merge branch 'master' into dev

.github/workflows/ci-build.yaml

@@ -384,7 +384,7 @@ jobs:
  CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
  - name: Upload test results to Codecov
  if: github.ref == 'refs/heads/master' && github.event_name == 'push' && github.repository == 'argoproj/argo-cd'
- uses: codecov/test-results-action@1b5b448b98e58ba90d1a1a1d9fcb72ca2263be46 # v1.0.0
+ uses: codecov/test-results-action@9739113ad922ea0a9abb4b2c0f8bf6a4aa8ef820 # v1.0.1
  with:
  file: test-results/junit.xml
  fail_ci_if_error: true

.golangci.yaml

@@ -20,8 +20,10 @@ linters:
  - misspell
  - staticcheck
  - testifylint
+ - thelper
  - unparam
  - unused
+ - usestdlibvars
  - whitespace 
 linters-settings:
  gocritic:

Makefile

@@ -486,6 +486,7 @@ start-e2e-local: mod-vendor-local dep-ui-local cli-local
  BIN_MODE=$(ARGOCD_BIN_MODE) \
  ARGOCD_APPLICATION_NAMESPACES=argocd-e2e-external,argocd-e2e-external-2 \
  ARGOCD_APPLICATIONSET_CONTROLLER_NAMESPACES=argocd-e2e-external,argocd-e2e-external-2 \
+ ARGOCD_APPLICATIONSET_CONTROLLER_TOKENREF_STRICT_MODE=true \
  ARGOCD_APPLICATIONSET_CONTROLLER_ALLOWED_SCM_PROVIDERS=http://127.0.0.1:8341,http://127.0.0.1:8342,http://127.0.0.1:8343,http://127.0.0.1:8344 \
  ARGOCD_E2E_TEST=true \
  goreman -f $(ARGOCD_PROCFILE) start ${ARGOCD_START}

applicationset/controllers/applicationset_controller_test.go

@@ -36,6 +36,7 @@ import (
  "github.com/argoproj/argo-cd/v2/applicationset/utils"
 
  appsetmetrics "github.com/argoproj/argo-cd/v2/applicationset/metrics"
+ argocommon "github.com/argoproj/argo-cd/v2/common"
  "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
  dbmocks "github.com/argoproj/argo-cd/v2/util/db/mocks"
 
@@ -1150,7 +1151,7 @@ func TestRemoveFinalizerOnInvalidDestination_FinalizerTypes(t *testing.T) {
  Name: "my-secret",
  Namespace: "namespace",
  Labels: map[string]string{
- generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+ argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
  },
  },
  Data: map[string][]byte{
@@ -1306,7 +1307,7 @@ func TestRemoveFinalizerOnInvalidDestination_DestinationTypes(t *testing.T) {
  Name: "my-secret",
  Namespace: "namespace",
  Labels: map[string]string{
- generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+ argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
  },
  },
  Data: map[string][]byte{
@@ -2052,7 +2053,7 @@ func TestValidateGeneratedApplications(t *testing.T) {
  Name: "my-secret",
  Namespace: "namespace",
  Labels: map[string]string{
- generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+ argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
  },
  },
  Data: map[string][]byte{
@@ -2245,6 +2246,7 @@ func TestSetApplicationSetStatusCondition(t *testing.T) {
  },
  },
  testfunc: func(t *testing.T, appset v1alpha1.ApplicationSet) {
+ t.Helper()
  assert.Len(t, appset.Status.Conditions, 3)
  },
  },
@@ -2280,6 +2282,7 @@ func TestSetApplicationSetStatusCondition(t *testing.T) {
  },
  },
  testfunc: func(t *testing.T, appset v1alpha1.ApplicationSet) {
+ t.Helper()
  assert.Len(t, appset.Status.Conditions, 3)
 
  isProgressingCondition := false
@@ -2342,6 +2345,7 @@ func TestSetApplicationSetStatusCondition(t *testing.T) {
  },
  },
  testfunc: func(t *testing.T, appset v1alpha1.ApplicationSet) {
+ t.Helper()
  assert.Len(t, appset.Status.Conditions, 4)
 
  isProgressingCondition := false
@@ -2388,6 +2392,7 @@ func TestSetApplicationSetStatusCondition(t *testing.T) {
 }
 
 func applicationsUpdateSyncPolicyTest(t *testing.T, applicationsSyncPolicy v1alpha1.ApplicationsSyncPolicy, recordBuffer int, allowPolicyOverride bool) v1alpha1.Application {
+ t.Helper()
  scheme := runtime.NewScheme()
  err := v1alpha1.AddToScheme(scheme)
  require.NoError(t, err)
@@ -2549,6 +2554,7 @@ func TestUpdatePerformedWithSyncPolicyCreateOnlyAndAllowPolicyOverrideFalse(t *t
 }
 
 func applicationsDeleteSyncPolicyTest(t *testing.T, applicationsSyncPolicy v1alpha1.ApplicationsSyncPolicy, recordBuffer int, allowPolicyOverride bool) v1alpha1.ApplicationList {
+ t.Helper()
  scheme := runtime.NewScheme()
  err := v1alpha1.AddToScheme(scheme)
  require.NoError(t, err)

applicationset/controllers/clustereventhandler.go

@@ -14,7 +14,7 @@ import (
  "sigs.k8s.io/controller-runtime/pkg/client"
  "sigs.k8s.io/controller-runtime/pkg/event"
 
- "github.com/argoproj/argo-cd/v2/applicationset/generators"
+ "github.com/argoproj/argo-cd/v2/common"
  argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )
 
@@ -50,7 +50,7 @@ type addRateLimitingInterface[T comparable] interface {
 
 func (h *clusterSecretEventHandler) queueRelatedAppGenerators(ctx context.Context, q addRateLimitingInterface[reconcile.Request], object client.Object) {
  // Check for label, lookup all ApplicationSets that might match the cluster, queue them all
- if object.GetLabels()[generators.ArgoCDSecretTypeLabel] != generators.ArgoCDSecretTypeCluster {
+ if object.GetLabels()[common.LabelKeySecretType] != common.LabelValueSecretTypeCluster {
  return
  }
 

applicationset/controllers/clustereventhandler_test.go

@@ -4,6 +4,8 @@ import (
  "context"
  "testing"
 
+ argocommon "github.com/argoproj/argo-cd/v2/common"
+
  log "github.com/sirupsen/logrus"
  "github.com/stretchr/testify/assert"
  "github.com/stretchr/testify/require"
@@ -16,7 +18,6 @@ import (
  "sigs.k8s.io/controller-runtime/pkg/client/fake"
  "sigs.k8s.io/controller-runtime/pkg/reconcile"
 
- "github.com/argoproj/argo-cd/v2/applicationset/generators"
  argov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )
 
@@ -42,7 +43,7 @@ func TestClusterEventHandler(t *testing.T) {
  Namespace: "argocd",
  Name: "my-secret",
  Labels: map[string]string{
- generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+ argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
  },
  },
  },
@@ -70,7 +71,7 @@ func TestClusterEventHandler(t *testing.T) {
  Namespace: "argocd",
  Name: "my-secret",
  Labels: map[string]string{
- generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+ argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
  },
  },
  },
@@ -113,7 +114,7 @@ func TestClusterEventHandler(t *testing.T) {
  Namespace: "argocd",
  Name: "my-secret",
  Labels: map[string]string{
- generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+ argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
  },
  },
  },
@@ -157,7 +158,7 @@ func TestClusterEventHandler(t *testing.T) {
  Namespace: "argocd",
  Name: "my-secret",
  Labels: map[string]string{
- generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+ argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
  },
  },
  },
@@ -218,7 +219,7 @@ func TestClusterEventHandler(t *testing.T) {
  Namespace: "argocd",
  Name: "my-secret",
  Labels: map[string]string{
- generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+ argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
  },
  },
  },
@@ -254,7 +255,7 @@ func TestClusterEventHandler(t *testing.T) {
  Namespace: "argocd",
  Name: "my-secret",
  Labels: map[string]string{
- generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+ argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
  },
  },
  },
@@ -304,7 +305,7 @@ func TestClusterEventHandler(t *testing.T) {
  Namespace: "argocd",
  Name: "my-secret",
  Labels: map[string]string{
- generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+ argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
  },
  },
  },
@@ -355,7 +356,7 @@ func TestClusterEventHandler(t *testing.T) {
  Namespace: "argocd",
  Name: "my-secret",
  Labels: map[string]string{
- generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+ argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
  },
  },
  },
@@ -389,7 +390,7 @@ func TestClusterEventHandler(t *testing.T) {
  Namespace: "argocd",
  Name: "my-secret",
  Labels: map[string]string{
- generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+ argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
  },
  },
  },
@@ -425,7 +426,7 @@ func TestClusterEventHandler(t *testing.T) {
  Namespace: "argocd",
  Name: "my-secret",
  Labels: map[string]string{
- generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+ argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
  },
  },
  },
@@ -475,7 +476,7 @@ func TestClusterEventHandler(t *testing.T) {
  Namespace: "argocd",
  Name: "my-secret",
  Labels: map[string]string{
- generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+ argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
  },
  },
  },
@@ -526,7 +527,7 @@ func TestClusterEventHandler(t *testing.T) {
  Namespace: "argocd",
  Name: "my-secret",
  Labels: map[string]string{
- generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+ argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster,
  },
  },
  },

applicationset/controllers/requeue_after_test.go

@@ -57,7 +57,7 @@ func TestRequeueAfter(t *testing.T) {
  },
  }
  fakeDynClient := dynfake.NewSimpleDynamicClientWithCustomListKinds(runtime.NewScheme(), gvrToListKind, duckType)
- scmConfig := generators.NewSCMConfig("", []string{""}, true, nil)
+ scmConfig := generators.NewSCMConfig("", []string{""}, true, nil, true)
  terminalGenerators := map[string]generators.Generator{
  "List": generators.NewListGenerator(),
  "Clusters": generators.NewClusterGenerator(k8sClient, ctx, appClientset, "argocd"),

applicationset/generators/cluster.go

@@ -15,14 +15,10 @@ import (
  "sigs.k8s.io/controller-runtime/pkg/client"
 
  "github.com/argoproj/argo-cd/v2/applicationset/utils"
+ "github.com/argoproj/argo-cd/v2/common"
  argoappsetv1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )
 
-const (
- ArgoCDSecretTypeLabel = "argocd.argoproj.io/secret-type"
- ArgoCDSecretTypeCluster = "cluster"
-)
-
 var _ Generator = (*ClusterGenerator)(nil)
 
 // ClusterGenerator generates Applications for some or all clusters registered with ArgoCD.
@@ -186,7 +182,7 @@ func (g *ClusterGenerator) getSecretsByClusterName(appSetGenerator *argoappsetv1
  // List all Clusters:
  clusterSecretList := &corev1.SecretList{}
 
- selector := metav1.AddLabelToSelector(&appSetGenerator.Clusters.Selector, ArgoCDSecretTypeLabel, ArgoCDSecretTypeCluster)
+ selector := metav1.AddLabelToSelector(&appSetGenerator.Clusters.Selector, common.LabelKeySecretType, common.LabelValueSecretTypeCluster)
  secretSelector, err := metav1.LabelSelectorAsSelector(selector)
  if err != nil {
  return nil, fmt.Errorf("error converting label selector: %w", err)

applicationset/generators/merge_test.go

@@ -197,6 +197,7 @@ func TestMergeGenerate(t *testing.T) {
 }
 
 func toAPIExtensionsJSON(t *testing.T, g interface{}) *apiextensionsv1.JSON {
+ t.Helper()
  resVal, err := json.Marshal(g)
  if err != nil {
  t.Error("unable to unmarshal json", g)

applicationset/generators/pull_request.go

@@ -139,15 +139,15 @@ func (g *PullRequestGenerator) selectServiceProvider(ctx context.Context, genera
  return nil, fmt.Errorf("error fetching CA certificates from ConfigMap: %w", prErr)
  }
  }
- token, err := utils.GetSecretRef(ctx, g.client, providerConfig.TokenRef, applicationSetInfo.Namespace)
+ token, err := utils.GetSecretRef(ctx, g.client, providerConfig.TokenRef, applicationSetInfo.Namespace, g.tokenRefStrictMode)
  if err != nil {
  return nil, fmt.Errorf("error fetching Secret token: %w", err)
  }
  return pullrequest.NewGitLabService(ctx, token, providerConfig.API, providerConfig.Project, providerConfig.Labels, providerConfig.PullRequestState, g.scmRootCAPath, providerConfig.Insecure, caCerts)
  }
  if generatorConfig.Gitea != nil {
  providerConfig := generatorConfig.Gitea
- token, err := utils.GetSecretRef(ctx, g.client, providerConfig.TokenRef, applicationSetInfo.Namespace)
+ token, err := utils.GetSecretRef(ctx, g.client, providerConfig.TokenRef, applicationSetInfo.Namespace, g.tokenRefStrictMode)
  if err != nil {
  return nil, fmt.Errorf("error fetching Secret token: %w", err)
  }
@@ -164,13 +164,13 @@ func (g *PullRequestGenerator) selectServiceProvider(ctx context.Context, genera
  }
  }
  if providerConfig.BearerToken != nil {
- appToken, err := utils.GetSecretRef(ctx, g.client, providerConfig.BearerToken.TokenRef, applicationSetInfo.Namespace)
+ appToken, err := utils.GetSecretRef(ctx, g.client, providerConfig.BearerToken.TokenRef, applicationSetInfo.Namespace, g.tokenRefStrictMode)
  if err != nil {
  return nil, fmt.Errorf("error fetching Secret Bearer token: %w", err)
  }
  return pullrequest.NewBitbucketServiceBearerToken(ctx, appToken, providerConfig.API, providerConfig.Project, providerConfig.Repo, g.scmRootCAPath, providerConfig.Insecure, caCerts)
  } else if providerConfig.BasicAuth != nil {
- password, err := utils.GetSecretRef(ctx, g.client, providerConfig.BasicAuth.PasswordRef, applicationSetInfo.Namespace)
+ password, err := utils.GetSecretRef(ctx, g.client, providerConfig.BasicAuth.PasswordRef, applicationSetInfo.Namespace, g.tokenRefStrictMode)
  if err != nil {
  return nil, fmt.Errorf("error fetching Secret token: %w", err)
  }
@@ -182,13 +182,13 @@ func (g *PullRequestGenerator) selectServiceProvider(ctx context.Context, genera
  if generatorConfig.Bitbucket != nil {
  providerConfig := generatorConfig.Bitbucket
  if providerConfig.BearerToken != nil {
- appToken, err := utils.GetSecretRef(ctx, g.client, providerConfig.BearerToken.TokenRef, applicationSetInfo.Namespace)
+ appToken, err := utils.GetSecretRef(ctx, g.client, providerConfig.BearerToken.TokenRef, applicationSetInfo.Namespace, g.tokenRefStrictMode)
  if err != nil {
  return nil, fmt.Errorf("error fetching Secret Bearer token: %w", err)
  }
  return pullrequest.NewBitbucketCloudServiceBearerToken(providerConfig.API, appToken, providerConfig.Owner, providerConfig.Repo)
  } else if providerConfig.BasicAuth != nil {
- password, err := utils.GetSecretRef(ctx, g.client, providerConfig.BasicAuth.PasswordRef, applicationSetInfo.Namespace)
+ password, err := utils.GetSecretRef(ctx, g.client, providerConfig.BasicAuth.PasswordRef, applicationSetInfo.Namespace, g.tokenRefStrictMode)
  if err != nil {
  return nil, fmt.Errorf("error fetching Secret token: %w", err)
  }
@@ -199,7 +199,7 @@ func (g *PullRequestGenerator) selectServiceProvider(ctx context.Context, genera
  }
  if generatorConfig.AzureDevOps != nil {
  providerConfig := generatorConfig.AzureDevOps
- token, err := utils.GetSecretRef(ctx, g.client, providerConfig.TokenRef, applicationSetInfo.Namespace)
+ token, err := utils.GetSecretRef(ctx, g.client, providerConfig.TokenRef, applicationSetInfo.Namespace, g.tokenRefStrictMode)
  if err != nil {
  return nil, fmt.Errorf("error fetching Secret token: %w", err)
  }
@@ -219,7 +219,7 @@ func (g *PullRequestGenerator) github(ctx context.Context, cfg *argoprojiov1alph
  }
 
  // always default to token, even if not set (public access)
- token, err := utils.GetSecretRef(ctx, g.client, cfg.TokenRef, applicationSetInfo.Namespace)
+ token, err := utils.GetSecretRef(ctx, g.client, cfg.TokenRef, applicationSetInfo.Namespace, g.tokenRefStrictMode)
  if err != nil {
  return nil, fmt.Errorf("error fetching Secret token: %w", err)
  }

applicationset/generators/pull_request_test.go

@@ -283,7 +283,7 @@ func TestAllowedSCMProviderPullRequest(t *testing.T) {
  "gitea.myorg.com",
  "bitbucket.myorg.com",
  "azuredevops.myorg.com",
- }, true, nil))
+ }, true, nil, true))
 
  applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
  ObjectMeta: metav1.ObjectMeta{
@@ -306,7 +306,7 @@ func TestAllowedSCMProviderPullRequest(t *testing.T) {
 }
 
 func TestSCMProviderDisabled_PRGenerator(t *testing.T) {
- generator := NewPullRequestGenerator(nil, NewSCMConfig("", []string{}, false, nil))
+ generator := NewPullRequestGenerator(nil, NewSCMConfig("", []string{}, false, nil, true))
 
  applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
  ObjectMeta: metav1.ObjectMeta{