Rebase crd branch onto master branch (#1192)

Signed-off-by: Denis Karpelevich <56302307+dkarpele@users.noreply.github.com>
Signed-off-by: chansuke <moonset20@gmail.com>
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Christopher Coco <chriscoco1205@gmail.com>
Signed-off-by: Jongwon Youn <eatingcookieman@gmail.com>
Signed-off-by: Binh Nguyen <binh.nguyen@encapital.io>
Signed-off-by: Cheng Fang <cfang@redhat.com>
Co-authored-by: Yusuke Abe <moonset20@gmail.com>
Co-authored-by: Cheng Fang <cfang@redhat.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Christopher Coco <chriscoco1205@gmail.com>
Co-authored-by: Jongwon Youn <eatingcookieman@gmail.com>
Co-authored-by: Binh Nguyen <37066217+binhnguyenduc@users.noreply.github.com>
Co-authored-by: Binh Nguyen <binh.nguyen@encapital.io>

Author: 8 people

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.23 AS builder
+FROM golang:1.24 AS builder
 
 RUN mkdir -p /src/argocd-image-updater
 WORKDIR /src/argocd-image-updater

README.md

@@ -22,7 +22,7 @@ supported yet (and maybe never will).
 Read
 [the documentation](https://argocd-image-updater.readthedocs.io/en/stable/)
 for more information on how to setup and run Argo CD Image Updater and to get
-known to it's features and limitations.
+known to its features and limitations.
 
 Above URL points to the documentation for the current release. If you are
 interested in documentation of upcoming features, check out the

cmd/ask_pass.go

@@ -12,7 +12,7 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"
 
-	"github.com/argoproj/argo-cd/v2/reposerver/askpass"
+	"github.com/argoproj/argo-cd/v2/util/askpass"
 	"github.com/argoproj/argo-cd/v2/util/errors"
 	grpc_util "github.com/argoproj/argo-cd/v2/util/grpc"
 	"github.com/argoproj/argo-cd/v2/util/io"

cmd/ask_pass_test.go

@@ -9,7 +9,7 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/argoproj/argo-cd/v2/reposerver/askpass"
+	"github.com/argoproj/argo-cd/v2/util/askpass"
 	"github.com/spf13/cobra"
 	"github.com/stretchr/testify/assert"
 	"google.golang.org/grpc"

cmd/main.go

@@ -44,6 +44,7 @@ func newRootCommand() error {
 	rootCmd.AddCommand(newVersionCommand())
 	rootCmd.AddCommand(newTestCommand())
 	rootCmd.AddCommand(newTemplateCommand())
+	rootCmd.AddCommand(NewWebhookCommand())
 	err := rootCmd.Execute()
 	return err
 }

cmd/run.go

@@ -16,7 +16,7 @@ import (
 
 	"github.com/argoproj-labs/argocd-image-updater/internal/controller"
 
-	"github.com/argoproj/argo-cd/v2/reposerver/askpass"
+	"github.com/argoproj/argo-cd/v2/util/askpass"
 
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
@@ -44,7 +44,6 @@ func newRunCommand() *cobra.Command {
 	var probeAddr string
 	var secureMetrics bool
 	var enableHTTP2 bool
-	var enableWebhooks bool
 	var cfg = &controller.ImageUpdaterConfig{}
 	var once bool
 	var kubeConfig string
@@ -207,7 +206,7 @@ This enables a CRD-driven approach to automated image updates with Argo CD.
 
 			var webhookServer webhook.Server
 
-			if enableWebhooks {
+			if cfg.EnableWebhook && cfg.WebhookPort > 0 {
 				setupLogger.Info("enabling webhook server")
 				webhookServer = webhook.NewServer(webhook.Options{
 					TLSOpts: tlsOpts,
@@ -324,7 +323,6 @@ This enables a CRD-driven approach to automated image updates with Argo CD.
 	controllerCmd.Flags().StringVar(&leaderElectionNamespace, "leader-election-namespace", "", "The namespace used for the leader election lease. If empty, the controller will use the namespace of the pod it is running in. When running locally this value must be set.")
 	controllerCmd.Flags().BoolVar(&secureMetrics, "metrics-secure", true, "If set, the metrics endpoint is served securely via HTTPS. Use --metrics-secure=false to use HTTP instead.")
 	controllerCmd.Flags().BoolVar(&enableHTTP2, "enable-http2", false, "If set, HTTP/2 will be enabled for the metrics and webhook servers")
-	controllerCmd.Flags().BoolVar(&enableWebhooks, "enable-webhooks", false, "Enable admission webhooks. Requires a valid TLS certificate.")
 	controllerCmd.Flags().StringVar(&cfg.ApplicationsAPIKind, "applications-api", env.GetStringVal("APPLICATIONS_API", common.ApplicationsAPIKindK8S), "API kind that is used to manage Argo CD applications ('kubernetes' or 'argocd')")
 	controllerCmd.Flags().StringVar(&cfg.ClientOpts.ServerAddr, "argocd-server-addr", env.GetStringVal("ARGOCD_SERVER", ""), "address of ArgoCD API server")
 	controllerCmd.Flags().BoolVar(&cfg.ClientOpts.GRPCWeb, "argocd-grpc-web", env.GetBoolVal("ARGOCD_GRPC_WEB", false), "use grpc-web for connection to ArgoCD")
@@ -352,6 +350,8 @@ This enables a CRD-driven approach to automated image updates with Argo CD.
 	controllerCmd.Flags().BoolVar(&cfg.GitCommitSignOff, "git-commit-sign-off", env.GetBoolVal("GIT_COMMIT_SIGN_OFF", false), "Whether to sign-off git commits")
 	controllerCmd.Flags().StringVar(&commitMessagePath, "git-commit-message-path", common.DefaultCommitTemplatePath, "Path to a template to use for Git commit messages")
 	controllerCmd.Flags().BoolVar(&cfg.DisableKubeEvents, "disable-kube-events", env.GetBoolVal("IMAGE_UPDATER_KUBE_EVENTS", false), "Disable kubernetes events")
+	controllerCmd.Flags().IntVar(&cfg.WebhookPort, "webhook-port", env.ParseNumFromEnv("WEBHOOK_PORT", 8082, 0, 65535), "Port to start the webhook server on, 0 to disable")
+	controllerCmd.Flags().BoolVar(&cfg.EnableWebhook, "enable-webhook", env.GetBoolVal("ENABLE_WEBHOOK", false), "Enable webhook server for receiving registry events")
 
 	return controllerCmd
 }

cmd/webhook.go

@@ -0,0 +1,163 @@
+package main
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/argoproj-labs/argocd-image-updater/pkg/argocd"
+	"github.com/argoproj-labs/argocd-image-updater/pkg/common"
+	"github.com/argoproj-labs/argocd-image-updater/pkg/kube"
+	"github.com/argoproj-labs/argocd-image-updater/pkg/webhook"
+	"github.com/argoproj-labs/argocd-image-updater/registry-scanner/pkg/log"
+
+	"github.com/spf13/cobra"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+// WebhookOptions holds the options for the webhook server
+type WebhookOptions struct {
+	Port                int
+	DockerSecret        string
+	GHCRSecret          string
+	UpdateOnEvent       bool
+	ApplicationsAPIKind string
+	AppNamespace        string
+	ServerAddr          string
+	Insecure            bool
+	Plaintext           bool
+	GRPCWeb             bool
+	AuthToken           string
+}
+
+var webhookOpts WebhookOptions
+
+// NewWebhookCommand creates a new webhook command
+func NewWebhookCommand() *cobra.Command {
+	var webhookCmd = &cobra.Command{
+		Use:   "webhook",
+		Short: "Start webhook server to receive registry events",
+		Long: `
+The webhook command starts a server that listens for webhook events from
+container registries. When an event is received, it can trigger an image
+update check for the affected images.
+
+Supported registries:
+- Docker Hub
+- GitHub Container Registry (GHCR)
+`,
+		Run: func(cmd *cobra.Command, args []string) {
+			runWebhook()
+		},
+	}
+
+	webhookCmd.Flags().IntVar(&webhookOpts.Port, "port", 8080, "Port to listen on for webhook events")
+	webhookCmd.Flags().StringVar(&webhookOpts.DockerSecret, "docker-secret", "", "Secret for validating Docker Hub webhooks")
+	webhookCmd.Flags().StringVar(&webhookOpts.GHCRSecret, "ghcr-secret", "", "Secret for validating GitHub Container Registry webhooks")
+	webhookCmd.Flags().BoolVar(&webhookOpts.UpdateOnEvent, "update-on-event", true, "Whether to trigger image update checks when webhook events are received")
+	webhookCmd.Flags().StringVar(&webhookOpts.ApplicationsAPIKind, "applications-api", common.ApplicationsAPIKindK8S, "API kind that is used to manage Argo CD applications ('kubernetes' or 'argocd')")
+	webhookCmd.Flags().StringVar(&webhookOpts.AppNamespace, "application-namespace", "", "namespace where Argo Image Updater will manage applications")
+	webhookCmd.Flags().StringVar(&webhookOpts.ServerAddr, "argocd-server-addr", "", "address of ArgoCD API server")
+	webhookCmd.Flags().BoolVar(&webhookOpts.Insecure, "argocd-insecure", false, "(INSECURE) ignore invalid TLS certs for ArgoCD server")
+	webhookCmd.Flags().BoolVar(&webhookOpts.Plaintext, "argocd-plaintext", false, "(INSECURE) connect without TLS to ArgoCD server")
+	webhookCmd.Flags().BoolVar(&webhookOpts.GRPCWeb, "argocd-grpc-web", false, "use grpc-web for connection to ArgoCD")
+	webhookCmd.Flags().StringVar(&webhookOpts.AuthToken, "argocd-auth-token", "", "use token for authenticating to ArgoCD")
+
+	return webhookCmd
+}
+
+// runWebhook starts the webhook server
+func runWebhook() {
+	log.Infof("Starting webhook server on port %d", webhookOpts.Port)
+
+	// Initialize the ArgoCD client
+	var argoClient argocd.ArgoCD
+	var err error
+
+	// Create Kubernetes client
+	var kubeClient *kube.ImageUpdaterKubernetesClient
+	kubeClient, err = argocd.GetKubeConfig(context.TODO(), "", "")
+	if err != nil {
+		log.Fatalf("Could not create Kubernetes client: %v", err)
+	}
+
+	// Set up based on application API kind
+	if webhookOpts.ApplicationsAPIKind == common.ApplicationsAPIKindK8S {
+		// Create a new controller-runtime client, which is what the refactored
+		// NewK8SClient function expects.
+		config, err := ctrl.GetConfig()
+		if err != nil {
+			log.Fatalf("could not get k8s config: %v", err)
+		}
+		ctrlClient, err := client.New(config, client.Options{Scheme: scheme})
+		if err != nil {
+			log.Fatalf("could not create controller-runtime client: %v", err)
+		}
+		argoClient, err = argocd.NewK8SClient(ctrlClient)
+		if err != nil {
+			log.Fatalf("Could not create ArgoCD K8s client: %v", err)
+		}
+	} else {
+		// Use defaults if not specified
+		serverAddr := webhookOpts.ServerAddr
+		if serverAddr == "" {
+			serverAddr = common.DefaultArgoCDServerAddr
+		}
+
+		// Check for auth token from environment if not provided
+		authToken := webhookOpts.AuthToken
+		if authToken == "" {
+			if token := os.Getenv("ARGOCD_TOKEN"); token != "" {
+				authToken = token
+			}
+		}
+
+		clientOpts := argocd.ClientOptions{
+			ServerAddr: serverAddr,
+			Insecure:   webhookOpts.Insecure,
+			Plaintext:  webhookOpts.Plaintext,
+			GRPCWeb:    webhookOpts.GRPCWeb,
+			AuthToken:  authToken,
+		}
+		argoClient, err = argocd.NewAPIClient(&clientOpts)
+	}
+
+	if err != nil {
+		log.Fatalf("Could not create ArgoCD client: %v", err)
+	}
+
+	// Create webhook handler
+	handler := webhook.NewWebhookHandler()
+
+	// Register supported webhook handlers
+	dockerHandler := webhook.NewDockerHubWebhook(webhookOpts.DockerSecret)
+	handler.RegisterHandler(dockerHandler)
+
+	ghcrHandler := webhook.NewGHCRWebhook(webhookOpts.GHCRSecret)
+	handler.RegisterHandler(ghcrHandler)
+
+	// Create webhook server
+	server := webhook.NewWebhookServer(webhookOpts.Port, handler, kubeClient, argoClient)
+
+	// Set up graceful shutdown
+	stop := make(chan os.Signal, 1)
+	signal.Notify(stop, os.Interrupt, syscall.SIGTERM)
+
+	// Start the server in a separate goroutine
+	go func() {
+		if err := server.Start(); err != nil {
+			log.Fatalf("Failed to start webhook server: %v", err)
+		}
+	}()
+
+	// Wait for interrupt signal
+	<-stop
+
+	// Gracefully shut down the server
+	log.Infof("Shutting down webhook server")
+	if err := server.Stop(); err != nil {
+		log.Errorf("Error stopping webhook server: %v", err)
+	}
+}

docs/basics/update.md

@@ -14,7 +14,7 @@ The workflow of Argo CD Image Updater can be described as follows:
   whose name match a given pattern, or match a given label.
 
 * It then goes through the list of `Applications` found and inspects each
-  for the the annotation `argocd-image-updater.argoproj.io/image-list`. This
+  for the annotation `argocd-image-updater.argoproj.io/image-list`. This
   annotation holds a list of image names that should be updated, and is a
   mandatory annotation for Argo CD Image Updater to indicate it should
   process this `Application`. Read more about the syntax expected in this

docs/configuration/images.md

@@ -32,7 +32,7 @@ following:
 argocd-image-updater.argoproj.io/image-list: nginx
 ```
 
-The above example would specify to update the image `nginx` to it's most recent
+The above example would specify to update the image `nginx` to its most recent
 version found in the container registry, without taking any version constraints
 into consideration.
 

docs/install/installation.md

@@ -165,11 +165,11 @@ kubectl -n argocd-image-updater rollout restart deployment argocd-image-updater
 
 When installed from the manifests into a Kubernetes cluster, the Argo CD Image
 Updater reads the token required for accessing Argo CD API from an environment
-variable named `ARGOCD_TOKEN`, which is set from a a field named
+variable named `ARGOCD_TOKEN`, which is set from a field named
 `argocd.token` in a secret named `argocd-image-updater-secret`.
 
 The value for `argocd.token` should be set to the *base64 encoded* value of the
-access token you have generated above. As a short-cut, you can use generate the
+access token you have generated above. As a short-cut, you can use generate
 secret with `kubectl` and apply it over the existing resource:
 
 ```shell