feat: add support for separate GitHub app credentials stored as Kubernetes secrets

Signed-off-by: Dustin Lactin <[email protected]>

Author: dlactin

docs/basics/update-methods.md

@@ -123,7 +123,9 @@ Example:
 argocd-image-updater.argoproj.io/write-back-method: git:secret:argocd-image-updater/git-creds
 ```
 
-If the repository is accessed using HTTPS, the secret must contain two fields:
+If the repository is accessed using HTTPS, the secret must contain either user credentials or GitHub app credentials.
+
+If the repository is accessed using user credentials, the secret requires two fields
 `username` which holds the Git username, and `password` which holds the user's
 password or a private access token (PAT) with write access to the repository.
 You can generate such a secret using `kubectl`, e.g.:
@@ -134,6 +136,16 @@ kubectl -n argocd-image-updater create secret generic git-creds \
   --from-literal=password=somepassword
 ```
 
+If the repository is accessed using GitHub app credentials, the secret requires three fields `githubAppID` which holds the GitHub Application ID, `githubAppInstallationID` which holds the GitHub Organization Installation ID, and `githubAppPrivateKey` which holds the GitHub Application private key. The GitHub Application must be installed into the target repository with write access.
+You can generate such a secret using `kubectl`, e.g.:
+
+```bash
+kubectl -n argocd-image-updater create secret generic git-creds \
+  --from-literal=githubAppID=applicationid \
+  --from-literal=githubAppInstallationID=installationid \
+  --from-literal=githubAppPrivateKey='-----BEGIN RSA PRIVATE KEY-----PRIVATEKEYDATA-----END RSA PRIVATE KEY-----'
+```
+
 If the repository is accessed using SSH, the secret must contain the field
 `sshPrivateKey`, which holds a SSH private key in OpenSSH-compatible PEM
 format. To create such a secret from an existing private key, you can use

pkg/argocd/gitcreds.go

@@ -3,6 +3,7 @@ package argocd
 import (
 	"context"
 	"fmt"
+	"strconv"
 	"strings"
 
 	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
@@ -66,14 +67,25 @@ func getCredsFromSecret(wbc *WriteBackConfig, credentialsSecret string, kubeClie
 		}
 		return git.NewSSHCreds(string(sshPrivateKey), "", true), nil
 	} else if git.IsHTTPSURL(wbc.GitRepo) {
-		var username, password []byte
-		if username, ok = credentials["username"]; !ok {
-			return nil, fmt.Errorf("invalid secret %s: does not contain field username", credentialsSecret)
+		var username, password, githubAppID, githubAppInstallationID, githubAppPrivateKey []byte
+		if githubAppID, ok = credentials["githubAppID"]; ok {
+			if githubAppInstallationID, ok = credentials["githubAppInstallationID"]; !ok {
+				return nil, fmt.Errorf("invalid secret %s: does not contain field githubAppInstallationID", credentialsSecret)
+			}
+			if githubAppPrivateKey, ok = credentials["githubAppPrivateKey"]; !ok {
+				return nil, fmt.Errorf("invalid secret %s: does not contain field githubAppPrivateKey", credentialsSecret)
+			}
+			// converting byte array to string and ultimately int64 for NewGitHubAppCreds
+			intGithubAppID, _ := strconv.ParseInt(string(githubAppID), 10, 64)
+			intGithubAppInstallationID, _ := strconv.ParseInt(string(githubAppInstallationID), 10, 64)
+			return git.NewGitHubAppCreds(intGithubAppID, intGithubAppInstallationID, string(githubAppPrivateKey), "", "", "", "", true), nil
+		} else if username, ok = credentials["username"]; ok {
+			if password, ok = credentials["password"]; !ok {
+				return nil, fmt.Errorf("invalid secret %s: does not contain field password", credentialsSecret)
+			}
+			return git.NewHTTPSCreds(string(username), string(password), "", "", true, ""), nil
 		}
-		if password, ok = credentials["password"]; !ok {
-			return nil, fmt.Errorf("invalid secret %s: does not contain field password", credentialsSecret)
-		}
-		return git.NewHTTPSCreds(string(username), string(password), "", "", true, ""), nil
+		return nil, fmt.Errorf("invalid repository credentials in secret %s: does not contain githubAppID or username", credentialsSecret)
 	}
 	return nil, fmt.Errorf("unknown repository type")
 }