Add repository credential management API and CLI (addresses #2136)

[jannfis]

This PR adds repository credential management to ArgoCD, as discussed in #2136. It changes the following:

• Add the following CRUD operations for repository credentials in RepositoryService API Introduces new RepoCredsService API which implements the following CRUD operations for managing repository credentials:

  • ListRepositoryCredentials()
  • CreateRepositoryCredentials()
  • UpdateRepositoryCredentials()
  • DeleteRepositoryCredentials()

• Deprecation of the following CRUD operations for repository management in RepositoryService API. The deprecated methods still available for backwards compatibility, but I think should be safe to remove with the release of v2.0:

  • List() deprecated in favour of ListRepositories()
  • Create() deprecated in favour of CreateRepository()
  • Update() deprecated in favour of UpdateRepository()
  • Delete() deprecated in favour of DeleteRepository()

• Changes the semantics of argocd repo sub-commands by introducing the --creds switch to sub-commands list, add and rm to perform operations on repository credentials instead of repositories.

• Introduces the repocreds sub-command to CLI, which can be used to manage repository credential templates. It mimics repo sub-command to some extent and supports the add, rm and list operations, with --upsert support.

• Introduces --force-refresh --refresh <mode> switch to argocd repo list command and accompanyingrefresh field in RepoQuery message of RepositoryService API to force a cache refresh of the listed repository's connection status

• Update 08/26/19: Changes behaviour of credential lookup from "first match" to "best match", i.e. given the following two cred URLs https://reposerver/reposand https://reposerver/repos/private, credential lookup for repository https://reposerver/repos/private/myprivate would return credentials configured for https://reposerver/repos/private, not https://reposerver/repos

• Update 08/26/19 2: Adds initial functionality to the web UI for listing, adding and removing repository credential templates - all built into the 'Repositories' settings page. Also added ability to force a cache reload of repositories with a new button on top of the page. See screenshots.

• Update 08/27/19: Added documentation for Operator Manual (declarative) and User Manual (Web UI and CLI)

• Update 09/28/19: Introduce new repocreds sub-command to CLI and removes --creds switch (and accompanying functionality) from repo sub-command (docs still need updating).

CLI examples:

[eris@docker-build argo-cd]$ ./dist/argocd repocreds --list
URL_PATTERN                 USERNAME  SSH_CREDS  TLS_CREDS
https://docker-build/repos  test      false      false
[eris@docker-build argo-cd]$ ./dist/argocd repo list
REPO                                            INSECURE  LFS    USER  STATUS      MESSAGE
https://docker-build/repos/argocd-example-apps  false     false  test  Successful
[eris@docker-build argo-cd]$ ./dist/argocd repocreds rm https://docker-build/repos
[eris@docker-build argo-cd]$ ./dist/argocd repo list --refresh hard
REPO                                            INSECURE  LFS    USER  STATUS  MESSAGE
https://docker-build/repos/argocd-example-apps  false     false  -     Failed  Unable to connect to repository: authentication required

[alexec]

looking good so far - I've some polish comments - but I'll wait until this is Ready For Review

[jannfis]

I think this PR is complete now. Sorry for it being so large again, I owe you guys a beer or two for all the review work I generate.

[alexec]

Another great PR. I've just added some comments as I'm on vacation for a few days now.

[jannfis]

Regarding the removal of insecureIgnoreHostKey from the credential templates, this was a design decision. It has a) not been well documented (no mention of this setting in the docs regarding repository credentials), and b) I see it as a potentially dangerous option, and also one that shouldn't be necessary anymore with the introduction of certificate management. The problem I see with it that it's a "fire & forget" option to open a potential huge security gap in the setup. It should be set using consent for each repository, if at all (i.e. must "hurt").

[alexec]

The Helm work is now merged. You'll need to git merge master

[moensch]

@jannfis Would you consider a reduced version of this PR against the 1.2 branch to just fix the call to CreateRepository with no credentials provided?
I was going to get started on a fix for #2305 but then found your open PR which I suspect won't make it in until 2.0.

[alexec]

Don't forget to let us know when it is ready for review.

[jannfis]

I'm still working on moving the credentials part out of RepositoryService to give the credentials a dedicated place to exist. This is more work than I expected, as I'm also giving it complete new data structures and types, so there'll be less confusion about what's actually a repository and what's a credential template.

[jannfis]

I've introduced RepoCredsService with the latest commit, which handles CRUD operations for repository credentials. I have also changed semantics of RepositoryCredentials a little, so we now have a dedicated data structure for handling credential templates, as opposed to handle them using stub repository structures. This always introduced confusion of "what is a repository" and "what is a credential template", and which information should be where.

Final steps are now to adapt the UI to the new semantics, and also to merge the conflicts from master (I hope for the last time).

[jannfis]

@alexec I think this is now finally ready for review. Please note that the change is now more invasive than initially was planned, but should be non breaking in terms of configuration - except when someone had InsecureIgnoreHostKey set in repository.credentials configuration (which I doubt, because it was not documented).

The UI still needs a little love, it's a little hackish implementation. I was thinking about moving the credentials part to its own settings page in the future, but for now, the current implementation in the repositories section seems good enough.

[alexec]

This looks good me. I'd like to target if for v1.4 rather than v1.3 as we're going to branch v1.3 today (hopefully). @alexmt @jessesuen do you want to review the API changes please?

[alexec]

minor - could use error.Check(..)

[alexec]

minor - if you want to provide parseable output, you could add a -o yaml option

[alexec]

minor - do we want document how these are matched?

[alexec]

I think you could simply this test to two lines, as any field other than EnableLFSshould not matter

[alexec]

nice

[alexec]

Why do we need force refresh? I'm worried that we're using the wrong key for the correction state.

[jannfis]

I think it'd be useful when you change repository credentials, you can see whether the change was successful or not instantly. Credentials aren't (can't be) checked for validity.

The other possibility would be to invalidate the cache on connection state for every repository that matches the credentials' URL prefix, when the credentials change.

[alexec]

I think this func accepts nil? So no need to guard.

[alexec]

This has been approved but needs to be sync'd with master. @jannfis do you want to do this?