feat: insecure support for chart-sync (#5328)

* passing allowInsecureConnection

* skipping validation for username, password and url

* update issue fix

* updating argocd secret

* migration default value

* migration script update

Author: iamayushm

api/chartRepo/ChartRepositoryRestHandler.go

@@ -208,12 +208,7 @@ func (handler *ChartRepositoryRestHandlerImpl) UpdateChartRepo(w http.ResponseWr
 		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
 		return
 	}
-	err = handler.chartRepositoryService.ValidateDeploymentCount(request)
-	if err != nil {
-		handler.Logger.Errorw("error updating, UpdateChartRepo", "err", err, "payload", request)
-		common.WriteJsonResp(w, err, nil, http.StatusInternalServerError)
-		return
-	}
+
 	token := r.Header.Get("token")
 	if ok := handler.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionUpdate, "*"); !ok {
 		common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)

api/helm-app/gRPC/applist.pb.go

@@ -281,6 +281,7 @@ message ChartRepository {
   string url = 2;
   string username = 3;
   string password = 4;
+  bool   allowInsecureConnection = 5;
 }
 
 message InstallReleaseRequest {

api/helm-app/gRPC/applist.proto

@@ -954,10 +954,11 @@ func (impl *HelmAppServiceImpl) TemplateChart(ctx context.Context, templateChart
 		}
 	} else {
 		chartRepository = &gRPC.ChartRepository{
-			Name:     appStoreAppVersion.AppStore.ChartRepo.Name,
-			Url:      appStoreAppVersion.AppStore.ChartRepo.Url,
-			Username: appStoreAppVersion.AppStore.ChartRepo.UserName,
-			Password: appStoreAppVersion.AppStore.ChartRepo.Password,
+			Name:                    appStoreAppVersion.AppStore.ChartRepo.Name,
+			Url:                     appStoreAppVersion.AppStore.ChartRepo.Url,
+			Username:                appStoreAppVersion.AppStore.ChartRepo.UserName,
+			Password:                appStoreAppVersion.AppStore.ChartRepo.Password,
+			AllowInsecureConnection: appStoreAppVersion.AppStore.ChartRepo.AllowInsecureConnection,
 		}
 	}
 

api/helm-app/service/HelmAppService.go

@@ -926,10 +926,11 @@ func (impl *AppStoreDeploymentServiceImpl) linkHelmApplicationToChartStore(insta
 	}
 	if chartRepoInfo != nil {
 		updateReleaseRequest.ChartRepository = &bean4.ChartRepository{
-			Name:     chartRepoInfo.Name,
-			Url:      chartRepoInfo.Url,
-			Username: chartRepoInfo.UserName,
-			Password: chartRepoInfo.Password,
+			Name:                    chartRepoInfo.Name,
+			Url:                     chartRepoInfo.Url,
+			Username:                chartRepoInfo.UserName,
+			Password:                chartRepoInfo.Password,
+			AllowInsecureConnection: chartRepoInfo.AllowInsecureConnection,
 		}
 	}
 	res, err := impl.helmAppService.UpdateApplicationWithChartInfo(ctx, installAppVersionRequest.ClusterId, updateReleaseRequest)

pkg/appStore/installedApp/service/AppStoreDeploymentService.go

@@ -128,10 +128,11 @@ func (impl *EAModeDeploymentServiceImpl) InstallApp(installAppVersionRequest *ap
 		}
 	} else {
 		chartRepository = &gRPC.ChartRepository{
-			Name:     appStoreAppVersion.AppStore.ChartRepo.Name,
-			Url:      appStoreAppVersion.AppStore.ChartRepo.Url,
-			Username: appStoreAppVersion.AppStore.ChartRepo.UserName,
-			Password: appStoreAppVersion.AppStore.ChartRepo.Password,
+			Name:                    appStoreAppVersion.AppStore.ChartRepo.Name,
+			Url:                     appStoreAppVersion.AppStore.ChartRepo.Url,
+			Username:                appStoreAppVersion.AppStore.ChartRepo.UserName,
+			Password:                appStoreAppVersion.AppStore.ChartRepo.Password,
+			AllowInsecureConnection: appStoreAppVersion.AppStore.ChartRepo.AllowInsecureConnection,
 		}
 	}
 	installReleaseRequest := &gRPC.InstallReleaseRequest{
@@ -340,10 +341,11 @@ func (impl *EAModeDeploymentServiceImpl) updateApplicationWithChartInfo(ctx cont
 		}
 	} else {
 		chartRepository = &gRPC.ChartRepository{
-			Name:     appStoreApplicationVersion.AppStore.ChartRepo.Name,
-			Url:      appStoreApplicationVersion.AppStore.ChartRepo.Url,
-			Username: appStoreApplicationVersion.AppStore.ChartRepo.UserName,
-			Password: appStoreApplicationVersion.AppStore.ChartRepo.Password,
+			Name:                    appStoreApplicationVersion.AppStore.ChartRepo.Name,
+			Url:                     appStoreApplicationVersion.AppStore.ChartRepo.Url,
+			Username:                appStoreApplicationVersion.AppStore.ChartRepo.UserName,
+			Password:                appStoreApplicationVersion.AppStore.ChartRepo.Password,
+			AllowInsecureConnection: appStoreApplicationVersion.AppStore.ChartRepo.AllowInsecureConnection,
 		}
 	}
 

pkg/appStore/installedApp/service/EAMode/EAModeDeploymentService.go

@@ -101,10 +101,11 @@ func (impl *InstalledAppResourceServiceImpl) findNotesForArgoApplication(install
 			ValuesYaml:   installedAppVerison.ValuesYaml,
 			K8SVersion:   k8sServerVersion.String(),
 			ChartRepository: &gRPC.ChartRepository{
-				Name:     appStoreAppVersion.AppStore.ChartRepo.Name,
-				Url:      appStoreAppVersion.AppStore.ChartRepo.Url,
-				Username: appStoreAppVersion.AppStore.ChartRepo.UserName,
-				Password: appStoreAppVersion.AppStore.ChartRepo.Password,
+				Name:                    appStoreAppVersion.AppStore.ChartRepo.Name,
+				Url:                     appStoreAppVersion.AppStore.ChartRepo.Url,
+				Username:                appStoreAppVersion.AppStore.ChartRepo.UserName,
+				Password:                appStoreAppVersion.AppStore.ChartRepo.Password,
+				AllowInsecureConnection: appStoreAppVersion.AppStore.ChartRepo.AllowInsecureConnection,
 			},
 			ReleaseIdentifier: &gRPC.ReleaseIdentifier{
 				ReleaseNamespace: installedAppVerison.InstalledApp.Environment.Namespace,

pkg/appStore/installedApp/service/FullMode/resource/NotesService.go

@@ -24,6 +24,7 @@ import (
 	util3 "github.com/devtron-labs/common-lib/utils/k8s"
 	"io"
 	"io/ioutil"
+	errors2 "k8s.io/apimachinery/pkg/api/errors"
 	"net/http"
 	"net/url"
 	"strconv"
@@ -70,7 +71,6 @@ type ChartRepositoryService interface {
 	GetChartRepoByName(name string) (*ChartRepoDto, error)
 	GetChartRepoList() ([]*ChartRepoWithIsEditableDto, error)
 	GetChartRepoListMin() ([]*ChartRepoDto, error)
-	ValidateDeploymentCount(request *ChartRepoDto) error
 	ValidateChartRepo(request *ChartRepoDto) *DetailedErrorHelmRepoValidation
 	ValidateAndCreateChartRepo(request *ChartRepoDto) (*chartRepoRepository.ChartRepo, error, *DetailedErrorHelmRepoValidation)
 	ValidateAndUpdateChartRepo(request *ChartRepoDto) (*chartRepoRepository.ChartRepo, error, *DetailedErrorHelmRepoValidation)
@@ -111,12 +111,12 @@ func (impl *ChartRepositoryServiceImpl) CreateSecretDataForHelmChart(request *Ch
 	if isPrivateChart {
 		secretData[USERNAME] = request.UserName
 		secretData[PASSWORD] = request.Password
-		isInsecureConnection := "true"
-		if !request.AllowInsecureConnection {
-			isInsecureConnection = "false"
-		}
-		secretData[INSECRUE] = isInsecureConnection
 	}
+	isInsecureConnection := "true"
+	if !request.AllowInsecureConnection {
+		isInsecureConnection = "false"
+	}
+	secretData[INSECRUE] = isInsecureConnection
 
 	return secretData
 }
@@ -225,17 +225,13 @@ func (impl *ChartRepositoryServiceImpl) CreateChartRepo(request *ChartRepoDto) (
 	return chartRepo, nil
 }
 
-func (impl *ChartRepositoryServiceImpl) ValidateDeploymentCount(request *ChartRepoDto) error {
-	activeDeploymentCount, err := impl.repoRepository.FindDeploymentCountByChartRepoId(request.Id)
+func (impl *ChartRepositoryServiceImpl) getCountOfDeployedCharts(chartRepoId int) (int, error) {
+	activeDeploymentCount, err := impl.repoRepository.FindDeploymentCountByChartRepoId(chartRepoId)
 	if err != nil {
-		impl.logger.Errorw("error in getting deployment count, CheckDeploymentCount", "err", err, "payload", request)
-		return err
+		impl.logger.Errorw("error in getting deployment count, CheckDeploymentCount", "chartRepoId", chartRepoId, "err", err)
+		return 0, err
 	}
-	if activeDeploymentCount > 0 {
-		err = &util.ApiError{Code: "400", HttpStatusCode: 400, UserMessage: "cannot update, found charts deployed using this repo"}
-		return err
-	}
-	return err
+	return activeDeploymentCount, nil
 }
 
 func (impl *ChartRepositoryServiceImpl) UpdateData(request *ChartRepoDto) (*chartRepoRepository.ChartRepo, error) {
@@ -256,6 +252,18 @@ func (impl *ChartRepositoryServiceImpl) UpdateData(request *ChartRepoDto) (*char
 	if request.Name != previousName && strings.ToLower(request.Name) != request.Name {
 		return nil, errors.New("invalid repo name: please use lowercase")
 	}
+
+	deployedChartCount, err := impl.getCountOfDeployedCharts(request.Id)
+	if err != nil {
+		impl.logger.Errorw("error in getting charts deployed via chart repo", "chartRepoId", request.Id, "err", err)
+		return nil, err
+	}
+
+	if deployedChartCount > 0 && (request.Name != previousName || request.Url != previousUrl) {
+		err = &util.ApiError{Code: "400", HttpStatusCode: 400, UserMessage: "cannot update, found charts deployed using this repo"}
+		return nil, err
+	}
+
 	chartRepo.Url = request.Url
 	chartRepo.Name = request.Name
 	chartRepo.AuthMode = request.AuthMode
@@ -347,11 +355,24 @@ func (impl *ChartRepositoryServiceImpl) UpdateData(request *ChartRepoDto) (*char
 		} else {
 			secretData := impl.CreateSecretDataForHelmChart(request, isPrivateChart)
 			secret, err := impl.K8sUtil.GetSecret(impl.aCDAuthConfig.ACDConfigMapNamespace, previousName, client)
-			if err != nil {
+			statusError, ok := err.(*errors2.StatusError)
+			if err != nil && (ok && statusError != nil && statusError.Status().Code != http.StatusNotFound) {
 				impl.logger.Errorw("error in fetching secret", "err", err)
 				continue
 			}
-			secret.StringData = secretData
+
+			if ok && statusError != nil && statusError.Status().Code == http.StatusNotFound {
+				secretLabel := make(map[string]string)
+				secretLabel[LABEL] = REPOSITORY
+				_, err = impl.K8sUtil.CreateSecret(impl.aCDAuthConfig.ACDConfigMapNamespace, nil, chartRepo.Name, "", client, secretLabel, secretData)
+				if err != nil {
+					impl.logger.Errorw("Error in creating secret for chart repo", "Chart Name", chartRepo.Name, "err", err)
+					continue
+				}
+				updateSuccess = true
+				break
+			}
+
 			if previousName != request.Name {
 				err = impl.DeleteChartSecret(previousName)
 				if err != nil {
@@ -365,6 +386,7 @@ func (impl *ChartRepositoryServiceImpl) UpdateData(request *ChartRepoDto) (*char
 					impl.logger.Errorw("Error in creating secret for chart repo", "Chart Name", chartRepo.Name, "err", err)
 				}
 			} else {
+				secret.StringData = secretData
 				_, err = impl.K8sUtil.UpdateSecret(impl.aCDAuthConfig.ACDConfigMapNamespace, secret, client)
 				if err != nil {
 					impl.logger.Errorw("Error in creating secret for chart repo", "Chart Name", chartRepo.Name, "err", err)

pkg/chartRepo/ChartRepositoryService.go

@@ -0,0 +1 @@
+update chart_repo set allow_insecure_connection=false;

scripts/sql/258_chart_repo_insecure_default_values.down.sql

@@ -0,0 +1,4 @@
+-- till this migration script, allow_insecure_connection is FALSE in Database
+-- insecureSkipTlsVerification was not derived from Database and was hardcoded as True in Kubelink.
+-- Now we are deriving it's value from DB and to preserve existing behaviour, migration values in DB are set to TRUE
+update chart_repo set allow_insecure_connection=true;