refactor: use argocd-git-ask-pass to pass git credentials to git/kustomize

[alexmt]

Signed-off-by: Alexander Matyushentsev AMatyushentsev@gmail.com

In order to provide git credentials to Kustomize Argo CD sets GIT_ASKPASS=git-ask-pass.sh env variable so that git clone call git-ask-pass.sh for credentials. The git-ask-pass.sh needs to get credentials somewhere so we also set GIT_USERNAME and GIT_PASSWORD env variables. The problem is that GIT_USERNAME and GIT_PASSWORD also available to kustomize and user can leverage kustomize config map generator to just print env variables.

Fix:

I think we agreed that it is not safe to have any secret in env variable or file, because one way or another almost all config tools provide a way to read file/env variable. But we can assume config management tool does not allow user to run any custom binary. So proposing following solution:

• introduce argocd-git-ask-pass binary and new, localhost-only endpoint in repo-server
• during manifests generation repo server generates uuid, associate it with git credentials and fork/exec config management tool with GIT_ASKPASS='argocd-git-ask-pass '
• git executes argocd-git-ask-pass , then argocd-git-ask-pass calls send uuid to new repo-server endpoint and receives associated credentials
• once manifest generation is completed repo-server forget about uuid and associated credentials

[codecov]

Codecov Report

Merging #8516 (1b2a4cf) into master (a84e993) will increase coverage by 0.07%.
The diff coverage is 26.08%.

@@            Coverage Diff             @@
##           master    #8516      +/-   ##
==========================================
+ Coverage   42.32%   42.40%   +0.07%     
==========================================
  Files         176      177       +1     
  Lines       22822    22936     +114     
==========================================
+ Hits         9660     9726      +66     
- Misses      11784    11824      +40     
- Partials     1378     1386       +8     

Impacted Files	Coverage Δ
cmd/argocd/commands/app.go	0.53% <0.00%> (ø)
pkg/apis/application/v1alpha1/repository_types.go	60.52% <0.00%> (ø)
util/git/creds.go	9.80% <4.34%> (-0.20%)	⬇️
reposerver/askpass/server.go	35.29% <35.29%> (ø)
reposerver/repository/repository.go	58.66% <57.14%> (-0.18%)	⬇️
util/git/client.go	44.74% <100.00%> (ø)
controller/state.go	73.90% <0.00%> (-0.54%)	⬇️
pkg/apis/application/v1alpha1/types.go	55.08% <0.00%> (ø)
util/settings/settings.go	47.91% <0.00%> (+0.69%)	⬆️
... and 3 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a84e993...1b2a4cf. Read the comment docs.

[crenshaw-dev]

Oops, didn't mean to approve yet. :-)

[alexec]

belt-and-braces - unset the env when forking kustomize process

[crenshaw-dev]

Added optional nitpicks, but LGTM!

[jannfis]

LGTM, thanks @alexmt

[jessesuen]

Took a close look and it looks solid. Great work!

[patoarvizu]

Is this something that should be available to sidecar plugins too?

I have a sidecar plugin for Tanka, that uses jsonnet-bundler to pull dependencies from private repos. I have the ConfigManagementPlugin configured to have init run jb install, which is how jsonnet-bundler pulls its dependencies, and it calls git under the covers. I assume that because this calls to git are unknown to/unmanaged by Argo, the configured credentials weren't available, but up until 2.2.5, I was able to have a workaround this issue by mounting a git-ask-pass.sh via a ConfigMap, and setting GIT_USERNAME and GIT_PASSWORD as environment variables on the sidecar container. Once I tried to upgrade to 2.3.1, this stopped working.

I understand that this feature is done to prevent potential credential hijacking, but I don't quite understand what about the new feature broke my workaround, and whether I can now leverage this functionality in my custom sidecar, or if I have to find an alternative.

(I can open a new issue to track this if you prefer.)

[crenshaw-dev]

@patoarvizu can you open an issue? I'll have to go back and look at the PR to see what was missed. But in theory it shouldn't be too difficult to let the sidecar use the credentials service.

[patoarvizu]

@crenshaw-dev Will do!