feat: Add support for destination service accounts (#567)

* upgrade argo version and add support for dest svc accts

Signed-off-by: Jordan Nimlos <[email protected]>

* feat(tests): align workflow file with framework skaffold repo (#563)

Signed-off-by: Nathanael Liechti <[email protected]>
Signed-off-by: Jordan Nimlos <[email protected]>

* feat: align tools folder with scaffold repo (#565)

Signed-off-by: Nathanael Liechti <[email protected]>
Signed-off-by: Jordan Nimlos <[email protected]>

* include flattener function for dsa

Signed-off-by: Jordan Nimlos <[email protected]>

* add updated docs

Signed-off-by: Jordan Nimlos <[email protected]>

* go mod tidy and fix generate/build

Signed-off-by: Jordan Nimlos <[email protected]>

* add argocd settings api client

Signed-off-by: Jordan Nimlos <[email protected]>

* add settings check to feature constraints

Signed-off-by: Jordan Nimlos <[email protected]>

* separate version and settings support checks with a single wrapper

Signed-off-by: Jordan Nimlos <[email protected]>

* fix linting issues

Signed-off-by: Jordan Nimlos <[email protected]>

* chore: add ability to optionally filter tests (#684)

In the various `Makefile` tasks, add an option to filter out tests if
necessary. I also fixed a few tests which were failing when running
unit tests where the config params require a k8s environment to be up
and running.

Signed-off-by: Blake Pettersson <[email protected]>
Signed-off-by: Jordan Nimlos <[email protected]>

* fix(deps): update module github.com/argoproj/argo-cd/v3 to v3.0.11 (#664)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Jordan Nimlos <[email protected]>

* chore: migrate to terraform-plugin-testing (#687)

* chore: migrate to terraform-plugin-testing

It gets pretty messy trying to mix `terraform-plugin-testing` with the
older `terraform-plugin-sdk` testing framework, so let's just use
`terraform-plugin-testing` for both the old resources as well as the new ones.

Signed-off-by: Blake Pettersson <[email protected]>

* chore: ignore fields

Signed-off-by: Blake Pettersson <[email protected]>

---------

Signed-off-by: Blake Pettersson <[email protected]>
Signed-off-by: Jordan Nimlos <[email protected]>

* add doc comments to IsVersionSupported and IsSettingSupported funcs

Signed-off-by: Jordan Nimlos <[email protected]>

* separate unstable feature acceptance tests from stable ones

Signed-off-by: Jordan Nimlos <[email protected]>

* re-add dropped ApplicationSourceName feature

Signed-off-by: Jordan Nimlos <[email protected]>

* revert unstable feature test workflows

Signed-off-by: Jordan Nimlos <[email protected]>

* revert feature constraint server settings component

Signed-off-by: Jordan Nimlos <[email protected]>

* missed cleanup IsVersionSupported func, add nil check on fc.MinVersion

Signed-off-by: Jordan Nimlos <[email protected]>

* avoid panic in expandDestinationServiceAccounts

Signed-off-by: Jordan Nimlos <[email protected]>

* rm kubernetes tf provider usage in test

Signed-off-by: Jordan Nimlos <[email protected]>

* check feature support on resource create/update

Signed-off-by: Jordan Nimlos <[email protected]>

* add fc.MinVersion nil check to new server_interface

Signed-off-by: Jordan Nimlos <[email protected]>

---------

Signed-off-by: Jordan Nimlos <[email protected]>
Signed-off-by: Nathanael Liechti <[email protected]>
Signed-off-by: nimjor <[email protected]>
Signed-off-by: Blake Pettersson <[email protected]>
Co-authored-by: Jordan Nimlos <[email protected]>
Co-authored-by: Nathanael Liechti <[email protected]>
Co-authored-by: Jordan Nimlos <[email protected]>
Co-authored-by: Blake Pettersson <[email protected]>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Author: 6 people

argocd/resource_argocd_project.go

@@ -64,6 +64,13 @@ func resourceArgoCDProjectCreate(ctx context.Context, d *schema.ResourceData, me
 		}
 	}
 
+	if !si.IsFeatureSupported(features.ProjectDestinationServiceAccounts) {
+		_, destinationServiceAccountsOk := d.GetOk("spec.0.destination_service_account")
+		if destinationServiceAccountsOk {
+			return featureNotSupported(features.ProjectDestinationServiceAccounts)
+		}
+	}
+
 	if _, ok := tokenMutexProjectMap[projectName]; !ok {
 		tokenMutexProjectMap[projectName] = &sync.RWMutex{}
 	}
@@ -170,6 +177,13 @@ func resourceArgoCDProjectUpdate(ctx context.Context, d *schema.ResourceData, me
 		}
 	}
 
+	if !si.IsFeatureSupported(features.ProjectDestinationServiceAccounts) {
+		_, destinationServiceAccountsOk := d.GetOk("spec.0.destination_service_account")
+		if destinationServiceAccountsOk {
+			return featureNotSupported(features.ProjectDestinationServiceAccounts)
+		}
+	}
+
 	projectName := objectMeta.Name
 
 	if _, ok := tokenMutexProjectMap[projectName]; !ok {

argocd/resource_argocd_project_test.go

@@ -254,6 +254,44 @@ func TestAccArgoCDProjectWithSourceNamespaces(t *testing.T) {
 	})
 }
 
+func TestAccArgoCDProjectWithDestinationServiceAccounts(t *testing.T) {
+	name := acctest.RandomWithPrefix("test-acc")
+
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			testAccPreCheck(t)
+			testAccPreCheckFeatureSupported(t, features.ProjectDestinationServiceAccounts)
+		},
+		ProviderFactories: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccArgoCDProjectWithDestinationServiceAccounts(name),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrSet(
+						"argocd_project.simple",
+						"metadata.0.uid",
+					),
+					resource.TestCheckResourceAttr(
+						"argocd_project.simple",
+						"spec.0.destination_service_account.0.default_service_account",
+						"default",
+					),
+					resource.TestCheckResourceAttr(
+						"argocd_project.simple",
+						"spec.0.destination_service_account.1.default_service_account",
+						"foo",
+					),
+				),
+			},
+			{
+				ResourceName:      "argocd_project.simple",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
 func TestAccArgoCDProjectWithFineGrainedPolicy(t *testing.T) {
 	name := acctest.RandomWithPrefix("test-acc")
 
@@ -860,6 +898,47 @@ resource "argocd_project" "failure" {
   `, name, name, name)
 }
 
+func testAccArgoCDProjectWithDestinationServiceAccounts(name string) string {
+	return fmt.Sprintf(`
+resource "argocd_project" "simple" {
+  metadata {
+    name      = "%s"
+    namespace = "argocd"
+    labels = {
+      acceptance = "true"
+    }
+    annotations = {
+      "this.is.a.really.long.nested.key" = "yes, really!"
+    }
+  }
+
+  spec {
+    description  = "simple"
+    source_repos = ["*"]
+
+    destination {
+      server    = "https://kubernetes.default.svc"
+      namespace = "default"
+    }
+    destination {
+      server    = "https://kubernetes.default.svc"
+      namespace = "foo"
+    }
+    destination_service_account {
+      default_service_account = "default"
+      namespace = "default"
+      server = "https://kubernetes.default.svc"
+    }
+    destination_service_account {
+      default_service_account = "foo"
+      namespace = "foo"
+      server = "https://kubernetes.default.svc"
+    }
+  }
+}
+  `, name)
+}
+
 func testAccArgoCDProjectWithFineGrainedPolicy(name string) string {
 	return fmt.Sprintf(`
   resource "argocd_project" "fine_grained_policy" {

argocd/schema_project.go

@@ -488,6 +488,30 @@ func projectSpecSchemaV2() *schema.Schema {
 						},
 					},
 				},
+				"destination_service_account": {
+					Type:        schema.TypeSet,
+					Description: "Service accounts to be impersonated for the application sync operation for each destination.",
+					Optional:    true,
+					Elem: &schema.Resource{
+						Schema: map[string]*schema.Schema{
+							"default_service_account": {
+								Type:        schema.TypeString,
+								Description: "Used for impersonation during the sync operation",
+								Required:    true,
+							},
+							"namespace": {
+								Type:        schema.TypeString,
+								Description: "Specifies the target namespace for the application's resources.",
+								Optional:    true,
+							},
+							"server": {
+								Type:        schema.TypeString,
+								Description: "Specifies the URL of the target cluster's Kubernetes control plane API.",
+								Required:    true,
+							},
+						},
+					},
+				},
 				"namespace_resource_blacklist": {
 					Type:        schema.TypeSet,
 					Description: "Blacklisted namespace level resources.",

argocd/server_interface.go

@@ -164,6 +164,10 @@ func (si *ServerInterface) InitClients(ctx context.Context) diag.Diagnostics {
 func (si *ServerInterface) IsFeatureSupported(feature features.Feature) bool {
 	fc, ok := features.ConstraintsMap[feature]
 
+	if fc.MinVersion == nil {
+		return true
+	}
+
 	return ok && fc.MinVersion.Compare(si.ServerVersion) != 1
 }
 

argocd/structure_project.go

@@ -104,6 +104,10 @@ func expandProjectSpec(d *schema.ResourceData) (spec application.AppProjectSpec,
 		spec.Destinations = expandApplicationDestinations(v.(*schema.Set))
 	}
 
+	if v, ok := s["destination_service_account"]; ok {
+		spec.DestinationServiceAccounts = expandDestinationServiceAccounts(v.(*schema.Set))
+	}
+
 	if v, ok := s["sync_window"]; ok {
 		spec.SyncWindows = expandSyncWindows(v.([]interface{}))
 	}
@@ -123,6 +127,20 @@ func expandProjectSpec(d *schema.ResourceData) (spec application.AppProjectSpec,
 	return spec, nil
 }
 
+func expandDestinationServiceAccounts(dsas *schema.Set) (result []application.ApplicationDestinationServiceAccount) {
+	for _, _dsa := range dsas.List() {
+		dsa := _dsa.(map[string]interface{})
+
+		result = append(result, application.ApplicationDestinationServiceAccount{
+			DefaultServiceAccount: dsa["default_service_account"].(string),
+			Namespace:             dsa["namespace"].(string),
+			Server:                dsa["server"].(string),
+		})
+	}
+
+	return
+}
+
 func expandOrphanedResourcesIgnore(ignore *schema.Set) (result []application.OrphanedResourceKey) {
 	for _, _i := range ignore.List() {
 		i := _i.(map[string]interface{})
@@ -161,6 +179,7 @@ func flattenProjectSpec(s application.AppProjectSpec) []map[string]interface{} {
 		"namespace_resource_blacklist": flattenK8SGroupKinds(s.NamespaceResourceBlacklist),
 		"namespace_resource_whitelist": flattenK8SGroupKinds(s.NamespaceResourceWhitelist),
 		"destination":                  flattenApplicationDestinations(s.Destinations),
+		"destination_service_account":  flattenProjectDestinationServiceAccounts(s.DestinationServiceAccounts),
 		"orphaned_resources":           flattenProjectOrphanedResources(s.OrphanedResources),
 		"role":                         flattenProjectRoles(s.Roles),
 		"sync_window":                  flattenSyncWindows(s.SyncWindows),
@@ -223,3 +242,15 @@ func flattenProjectRoles(rs []application.ProjectRole) (result []map[string]inte
 
 	return
 }
+
+func flattenProjectDestinationServiceAccounts(dsas []application.ApplicationDestinationServiceAccount) (result []map[string]string) {
+	for _, dsa := range dsas {
+		result = append(result, map[string]string{
+			"default_service_account": dsa.DefaultServiceAccount,
+			"namespace":               dsa.Namespace,
+			"server":                  dsa.Server,
+		})
+	}
+
+	return
+}

docs/resources/project.md

@@ -173,6 +173,7 @@ Optional:
 - `cluster_resource_blacklist` (Block Set) Blacklisted cluster level resources. (see [below for nested schema](#nestedblock--spec--cluster_resource_blacklist))
 - `cluster_resource_whitelist` (Block Set) Whitelisted cluster level resources. (see [below for nested schema](#nestedblock--spec--cluster_resource_whitelist))
 - `description` (String) Project description.
+- `destination_service_account` (Block Set) Service accounts to be impersonated for the application sync operation for each destination. (see [below for nested schema](#nestedblock--spec--destination_service_account))
 - `namespace_resource_blacklist` (Block Set) Blacklisted namespace level resources. (see [below for nested schema](#nestedblock--spec--namespace_resource_blacklist))
 - `namespace_resource_whitelist` (Block Set) Whitelisted namespace level resources. (see [below for nested schema](#nestedblock--spec--namespace_resource_whitelist))
 - `orphaned_resources` (Block List, Max: 1) Settings specifying if controller should monitor orphaned resources of apps in this project. (see [below for nested schema](#nestedblock--spec--orphaned_resources))
@@ -212,6 +213,19 @@ Optional:
 - `kind` (String) The Kubernetes resource Kind to match for.
 
 
+<a id="nestedblock--spec--destination_service_account"></a>
+### Nested Schema for `spec.destination_service_account`
+
+Required:
+
+- `default_service_account` (String) Used for impersonation during the sync operation
+- `server` (String) Specifies the URL of the target cluster's Kubernetes control plane API.
+
+Optional:
+
+- `namespace` (String) Specifies the target namespace for the application's resources.
+
+
 <a id="nestedblock--spec--namespace_resource_blacklist"></a>
 ### Nested Schema for `spec.namespace_resource_blacklist`
 

internal/features/features.go

@@ -17,12 +17,15 @@ const (
 	ApplicationSetIgnoreApplicationDifferences
 	ApplicationSetTemplatePatch
 	ApplicationKustomizePatches
+	ProjectDestinationServiceAccounts
 	ProjectFineGrainedPolicy
 	ApplicationSourceName
 )
 
 type FeatureConstraint struct {
-	Name       string
+	// Name is a human-readable name for the feature.
+	Name string
+	// MinVersion is the minimum ArgoCD version that supports this feature.
 	MinVersion *semver.Version
 }
 
@@ -39,4 +42,5 @@ var ConstraintsMap = map[Feature]FeatureConstraint{
 	ApplicationKustomizePatches:                {"application kustomize patches", semver.MustParse("2.9.0")},
 	ProjectFineGrainedPolicy:                   {"fine-grained policy in project", semver.MustParse("2.12.0")},
 	ApplicationSourceName:                      {"named application sources", semver.MustParse("2.14.0")},
+	ProjectDestinationServiceAccounts:          {"project destination service accounts", semver.MustParse("2.13.0")},
 }

internal/provider/server_interface.go

@@ -164,6 +164,10 @@ func (si *ServerInterface) InitClients(ctx context.Context) diag.Diagnostics {
 func (si *ServerInterface) IsFeatureSupported(feature features.Feature) bool {
 	fc, ok := features.ConstraintsMap[feature]
 
+	if fc.MinVersion == nil {
+		return true
+	}
+
 	return ok && fc.MinVersion.Compare(si.ServerVersion) != 1
 }