[ArgoCD only] comment the "diff" for the application manifest on open PRs

Oded-B commented 9 months ago

Problem Statement

ArgoCD users who apply manifests on merge to the main branch "auto-sync" need a way to preview their changes before the merge. Most people currently implement this functionality using a generic CI/CD system like GitHub Actions or CircleCI, but those can be slow and are hard to implement securely as they allow unreviewed CI/CD code to run on PRs. Having Telefonistka trigger the diff API call and comment in the PR would make the user's life easier.

Proposed Solution

Telefonistka will trigger an diff API call to ArgoCD and will comment "diff" as a PR comment:

Alternatives Considered

Please briefly describe which alternatives, if any, have been considered, including merits of alternate approaches and tradeoffs being made.

Additional Context

Example of bash/gh based implantation running in CircleCI:

          LIST_OF_CHNAGED_ARGOCD_APPS=$(gh pr view $CIRCLE_PULL_REQUEST --json files --jq '.files[].path' \
            |grep ^clusters \
            | awk -F\/ '{print "argocd-infra-poc/" $6"-"$2"-"$3"-"$4}' \
            | tr "_" "-" | sort | uniq;
            gh pr view $CIRCLE_PULL_REQUEST --json files --jq '.files[].path' \
            |grep ^playground \
            | awk -F\/ '{print "argocd-infra-poc/"$3"-playground"}' \
            | tr "_" "-" | sort | uniq
            )
          for APP_NAME in $LIST_OF_CHNAGED_ARGOCD_APPS; do
             echo "Checking app $APP_NAME"
             DIFF=$(./argocd app diff $APP_NAME --revision $CIRCLE_BRANCH --hard-refresh)
             if [ $? -ne 0 ]; then 
               echo "Foudnd diff:\n $DIFF"
               echo -e "# ${APP_NAME}\n\`\`\`diff\n${DIFF}\n\`\`\`\n" | gh pr comment $CIRCLE_PULL_REQUEST --body-file - 
             fi
          done

colethienes commented 8 months ago

I have an app that does just this. I recently released a Github app called Infro that several companies use internally that allows Argo CD users to preview Kubernetes changes in Github pull requests before they merge. I’m providing it for free to open source projects (https://github.com/broersma-forslund/homelab/pull/158#issuecomment-1962289857 an example in the wild). Here’s a setup guide with links to documentation. It’s in early stages, so I’m sure there will be warts. All feedback is welcome!

Oded-B commented 8 months ago

I have an app that does just this. I recently released a GitHub app called Infro that several companies use internally that allows Argo CD users to preview Kubernetes changes in Github pull requests before they merge. I’m providing it for free to open source projects (broersma-forslund/homelab#158 (comment) an example in the wild). Here’s a setup guide with links to documentation. It’s in early stages, so I’m sure there will be warts. All feedback is welcome!

Nice!

But I'm not sure it will be a good fit for my current use case - sending our Git Webhooks to a third party would require heavy compliance work. It will also require changes to how we expose ArgoCD API/Web, at the moment it's behind an identity-aware proxy that only allows authenticated humans and provisioning static API tokens. The plan here is to use JWTs and Dex OIDC provider to authenticate Telefonistka to ArgoCD API based on its workload identity

colethienes commented 7 months ago

Sorry for the late reply. Yeah makes sense - I heard that a lot! So, I recently open sourced it and added a "self-hosted" version which doesn't rely on webhooks. It basically just polls the Github API for PRs to comment on and publishes a diff to the ones it finds. I would appreciate feedback on it, if you find the time :)

github-actions[bot] commented 5 months ago

Automatically marking issue as stale due to lack of activity

github-actions[bot] commented 4 months ago

Automatically closing this issue as stale

wayfair-incubator / telefonistka