CR-21153: create an option for using it with self-signed certificate (#658)

* [CR-21153]: v1.4.0 adding unsecure option
* upgrading image
* Adding debug info
* upgrade packages
* Upgrade pip and do not use slim version

* [CR-21153] 1.4.1 Adding CA_BUNDLE option
* Fixed logic
* Remove double code
-------
Signed-off-by: Laurent Rochette <laurent.rochette@codefresh.io>
Co-authored-by: Francisco Cocozza <39525266+francisco-codefresh@users.noreply.github.com>

Author: lrochette

incubating/argo-cd-sync/CHANGELOG.md

@@ -1,7 +1,14 @@
 # Changelog
-## [1.3.1] - 2023-09-18
+
+## [1.4.1] - 2023-10-31
+### Changed
+Add CA_BUNDLE option
+
+## [1.4.0] - 2023-10-30
 ### Changed
+Add INSECURE option
 
+## [1.3.1] - 2023-09-18
 ### Fixed
 - CVE-2023-37920 - upgrade Python module certifi to 2023.7.22
 - CVE-2019-8457 - upgrade base image to python:3.11.5-slim-bookworm
@@ -10,5 +17,3 @@
 ### Changed
 - Adding IMAGE_NAME parameter
 - Adding example
-
-### Fixed

incubating/argo-cd-sync/Dockerfile

@@ -1,6 +1,7 @@
-FROM    python:3.11.5-slim-bookworm
+FROM    python:3.12.0-bookworm
 WORKDIR /app
 COPY    requirements.txt requirements.txt
+RUN     pip3 install --upgrade pip
 RUN     pip3 install -r requirements.txt
 COPY    queries queries/
 COPY    argocd_sync.py run.py

incubating/argo-cd-sync/argocd_sync.py

@@ -24,6 +24,13 @@
 CF_STEP_NAME= os.getenv('CF_STEP_NAME', 'STEP_NAME')
 LOG_LEVEL   = os.getenv('LOG_LEVEL', "info")
 
+# Check the certificate or not accessing the API endpoint
+VERIFY      = True if os.getenv('INSECURE', "False").lower() == "false" else False
+CA_BUNDLE   = os.getenv('CA_BUNDLE')
+
+if CA_BUNDLE != None:
+    VERIFY='/root/bundle.pem'
+
 #######################################################################
 
 
@@ -37,6 +44,8 @@ def main():
     logging.debug("INTERVAL: %d", INTERVAL)
     logging.debug("MAX CHECKS: %s", MAX_CHECKS)
     logging.debug("ROLLBACK: %s", ROLLBACK)
+    logging.debug("VERIFY: %s", VERIFY)
+    logging.debug("BUNDLE: %s", CA_BUNDLE)
 
     ingress_host = get_runtime_ingress_host()
     execute_argocd_sync(ingress_host)
@@ -83,7 +92,7 @@ def getRevision(namespace):
     transport = RequestsHTTPTransport(
         url=gql_api_endpoint,
         headers={'authorization': CF_API_KEY},
-        verify=True,
+        verify=VERIFY,
         retries=3,
     )
     client = Client(transport=transport, fetch_schema_from_transport=False)
@@ -139,7 +148,7 @@ def rollback(ingress_host, namespace, revision):
     transport = RequestsHTTPTransport(
         url=runtime_api_endpoint,
         headers={'authorization': CF_API_KEY},
-        verify=True,
+        verify=VERIFY,
         retries=3,
     )
     client = Client(transport=transport, fetch_schema_from_transport=False)
@@ -163,7 +172,7 @@ def get_app_status(namespace):
     transport = RequestsHTTPTransport(
         url=gql_api_endpoint,
         headers={'authorization': CF_API_KEY},
-        verify=True,
+        verify=VERIFY,
         retries=3,
     )
     client = Client(transport=transport, fetch_schema_from_transport=False)
@@ -189,7 +198,7 @@ def get_runtime():
     transport = RequestsHTTPTransport(
         url = CF_URL + '/2.0/api/graphql',
         headers={'authorization': CF_API_KEY},
-        verify=True,
+        verify=VERIFY,
         retries=3,
     )
     client = Client(transport=transport, fetch_schema_from_transport=False)
@@ -225,7 +234,7 @@ def execute_argocd_sync(ingress_host):
     transport = RequestsHTTPTransport(
         url=runtime_api_endpoint,
         headers={'authorization': CF_API_KEY},
-        verify=True,
+        verify=VERIFY,
         retries=3,
     )
     client = Client(transport=transport, fetch_schema_from_transport=False)

incubating/argo-cd-sync/requirements.txt

@@ -7,5 +7,5 @@ idna==3.4
 multidict==6.0.4
 requests==2.28.2
 requests-toolbelt==0.10.1
-urllib3==1.26.15
-yarl==1.8.2
+urllib3==1.26.16
+yarl==1.9.2

incubating/argo-cd-sync/step.yaml

@@ -1,17 +1,17 @@
 kind: step-type
 metadata:
   name: argo-cd-sync
-  version: 1.3.1
+  version: 1.4.1
   isPublic: true
   description: Syncs Argo CD apps managed by our GitOps Runtimes
   sources:
     - 'https://github.com/codefresh-io/steps/tree/master/incubating/argo-cd-sync'
   stage: incubating
   maintainers:
     - name: Francisco Cocozza
-    - email: francisco@codefresh.io
+      email: francisco@codefresh.io
     - name: Laurent Rochette
-    - email: laurent.rochette@codefresh.io
+      email: laurent.rochette@codefresh.io
   categories:
     - GitOps
   official: true
@@ -99,6 +99,15 @@ spec:
           "description": "OPTIONAL - Wait for the app to be healthy after a rollback. Forces ROLLBACK to true",
           "default": false
         },
+        "CA_BUNDLE": {
+          "type": "string",
+          "description": "OPTIONAL - a base64 encoded stringnthat contain the complete CA Certificate Bundle"
+        },
+        "INSECURE": {
+          "type": "boolean",
+          "description": "OPTIONAL - to allow the usage of a self-signed certificate in the chain to reach the API endpoint",
+          "default": false
+        },
         "LOG_LEVEL": {
           "type": "string",
           "description": "OPTIONAL - set the log level, e.g. 'debug', 'info', 'warn', 'error', 'critical' (default 'error')",
@@ -145,8 +154,12 @@ spec:
         - '[[ $key ]]=[[ $val ]]'
       [[- end ]]
       commands:
+      [[ if .Arguments.CA_BUNDLE ]]
+        - echo [[ .Arguments.CA_BUNDLE ]] | base64 -d >/root/bundle.pem
+      [[ end ]]
         - cd /app
         - python3 run.py
+
   delimiters:
     left: '[['
     right: ']]'