Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-2305

Add support for Sidecar CMP plugin to use private dependencies

XMLWordPrintable

    • 8
    • False
    • None
    • False
    • 0
    • 0% 0%
    • GITOPS Sprint 3245

      Epic Goal

      Config Management Plugins can pull dependencies from private repositories.

      Why is this important?

      There isn't any mention of intentionally restricting CMP to public repos in the docs, so it’s reasonable that customers assume that private repos are accessible.

      I had assumed that when creating a CMP and extending Argo CD to integrate with more tooling that I would be able to bring in dependencies from private repos. Allowing users to BYO and customise the supported integrations should open the door to in-house config management solutions that may live in private repos. 

      Limiting customers to public repos only presents security challenges for some organisations.

      Though this issue itself isn't a significant problem by itself, I have assigned it Major priority as it's blocking at least one customer's upgrade from OCP 3 to 4. 

      Scenarios

      1. Those with strict requirements who aren’t able to use third party tooling without approval build a lot more privately maintained software. Being forced to grant an exception for Argo CD to use a public version of something would be a blocker for teams getting the functionality that they need.
      2. Teams must choose between using publicly available plugins (which may not suit their needs entirely) and having to make their custom plugin publicly available (which may not be possible for copyright or security reasons)

      Acceptance Criteria (Mandatory)

      • CI - MUST be running successfully with tests automated
      • Release Technical Enablement - Provide necessary release enablement details and documents.
      • When using a Config Management Plugin, a user can successfully fetch a dependency from a private repository
      • When attempting to reproduce the error in https://github.com/argoproj/argo-cd/issues/10265, the helm chart is able to pull the required deps 

      Dependencies (internal and external)

      Issue reported by a customer via RFE: https://issues.redhat.com/browse/RFE-2976

      And also reported upstream: https://github.com/argoproj/argo-cd/issues/10265 

      Previous Work (Optional):

      Open questions:

      1. How will the issue with the credentials server be solved? 

      Further information from @Jann Fischer: The credentials server in Argo CD (introduced with v2.3 due to insecurities with the former GIT_ASK_PASS method) is not a network server, and the plugins are executed in their own context/isolation.

      Done Checklist

      • Acceptance criteria are met
      • Non-functional properties of the Feature have been validated (such as performance, resource, UX, security or privacy aspects)
      • User Journey automation is delivered
      • Support and SRE teams are provided with enough skills to support the feature in production environment

            abenaiss Akram Ben Aissi
            halawren@redhat.com Harriet Lawrence
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated: