fix: create read and write secret for same url (#25581)

Signed-off-by: emirot <emirot.nolan@gmail.com>
2026-02-20 01:28:45 +01:00 · 2025-12-09 22:04:48 -08:00
parent 4a1bf9efff
commit 9129e8668f
4 changed files with 98 additions and 3 deletions
--- a/util/db/db_test.go
+++ b/util/db/db_test.go
@@ -163,7 +163,7 @@ func TestCreateWriteRepoCredentials(t *testing.T) {
 	require.NoError(t, err)
 	assert.Equal(t, "https://github.com/argoproj/", creds.URL)

-	secret, err := clientset.CoreV1().Secrets(testNamespace).Get(t.Context(), RepoURLToSecretName(credSecretPrefix, creds.URL, ""), metav1.GetOptions{})
+	secret, err := clientset.CoreV1().Secrets(testNamespace).Get(t.Context(), RepoURLToSecretName(credWriteSecretPrefix, creds.URL, ""), metav1.GetOptions{})
 	require.NoError(t, err)

 	assert.Equal(t, common.AnnotationValueManagedByArgoCD, secret.Annotations[common.AnnotationKeyManagedBy])
--- a/util/db/repository.go
+++ b/util/db/repository.go
@@ -19,8 +19,12 @@ import (
 const (
 	// Prefix to use for naming repository secrets
 	repoSecretPrefix = "repo"
+	// Prefix to use for naming repository write secrets
+	repoWriteSecretPrefix = "repo-write"
 	// Prefix to use for naming credential template secrets
 	credSecretPrefix = "creds"
+	// Prefix to use for naming write credential template secrets
+	credWriteSecretPrefix = "creds-write"
 	// The name of the key storing the username in the secret
 	username = "username"
 	// The name of the key storing the password in the secret
--- a/util/db/repository_secrets.go
+++ b/util/db/repository_secrets.go
@@ -26,7 +26,11 @@ type secretsRepositoryBackend struct {
 }

 func (s *secretsRepositoryBackend) CreateRepository(ctx context.Context, repository *appsv1.Repository) (*appsv1.Repository, error) {
-	secName := RepoURLToSecretName(repoSecretPrefix, repository.Repo, repository.Project)
+	secretPrefix := repoSecretPrefix
+	if s.writeCreds {
+		secretPrefix = repoWriteSecretPrefix
+	}
+	secName := RepoURLToSecretName(secretPrefix, repository.Repo, repository.Project)

 	repositorySecret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
@@ -179,7 +183,11 @@ func (s *secretsRepositoryBackend) RepositoryExists(_ context.Context, repoURL,
 }

 func (s *secretsRepositoryBackend) CreateRepoCreds(ctx context.Context, repoCreds *appsv1.RepoCreds) (*appsv1.RepoCreds, error) {
-	secName := RepoURLToSecretName(credSecretPrefix, repoCreds.URL, "")
+	secretPrefix := credSecretPrefix
+	if s.writeCreds {
+		secretPrefix = credWriteSecretPrefix
+	}
+	secName := RepoURLToSecretName(secretPrefix, repoCreds.URL, "")

 	repoCredsSecret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
--- a/util/db/repository_secrets_test.go
+++ b/util/db/repository_secrets_test.go
@@ -1178,3 +1178,86 @@ func TestRaceConditionInRepositoryOperations(t *testing.T) {
 	assert.Equal(t, repo.Username, finalRepo.Username)
 	assert.Equal(t, repo.Password, finalRepo.Password)
 }
+
+func TestCreateReadAndWriteSecretForSameURL(t *testing.T) {
+	clientset := getClientset()
+	settingsMgr := settings.NewSettingsManager(t.Context(), clientset, testNamespace)
+
+	repo := &appsv1.Repository{
+		Name:     "TestRepo",
+		Repo:     "git@github.com:argoproj/argo-cd.git",
+		Username: "user",
+		Password: "pass",
+	}
+
+	// Create read secret
+	readBackend := &secretsRepositoryBackend{db: &db{
+		ns:            testNamespace,
+		kubeclientset: clientset,
+		settingsMgr:   settingsMgr,
+	}, writeCreds: false}
+	_, err := readBackend.CreateRepository(t.Context(), repo)
+	require.NoError(t, err)
+
+	// Create write secret
+	writeBackend := &secretsRepositoryBackend{db: &db{
+		ns:            testNamespace,
+		kubeclientset: clientset,
+		settingsMgr:   settingsMgr,
+	}, writeCreds: true}
+	_, err = writeBackend.CreateRepository(t.Context(), repo)
+	require.NoError(t, err)
+
+	// Assert both secrets exist
+	readSecretName := RepoURLToSecretName(repoSecretPrefix, repo.Repo, repo.Project)
+	writeSecretName := RepoURLToSecretName(repoWriteSecretPrefix, repo.Repo, repo.Project)
+
+	readSecret, err := clientset.CoreV1().Secrets(testNamespace).Get(t.Context(), readSecretName, metav1.GetOptions{})
+	require.NoError(t, err)
+	assert.Equal(t, common.LabelValueSecretTypeRepository, readSecret.Labels[common.LabelKeySecretType])
+
+	writeSecret, err := clientset.CoreV1().Secrets(testNamespace).Get(t.Context(), writeSecretName, metav1.GetOptions{})
+	require.NoError(t, err)
+	assert.Equal(t, common.LabelValueSecretTypeRepositoryWrite, writeSecret.Labels[common.LabelKeySecretType])
+}
+
+func TestCreateReadAndWriteRepoCredsSecretForSameURL(t *testing.T) {
+	clientset := getClientset()
+	settingsMgr := settings.NewSettingsManager(t.Context(), clientset, testNamespace)
+
+	creds := &appsv1.RepoCreds{
+		URL:      "git@github.com:argoproj/argo-cd.git",
+		Username: "user",
+		Password: "pass",
+	}
+
+	// Create read creds secret
+	readBackend := &secretsRepositoryBackend{db: &db{
+		ns:            testNamespace,
+		kubeclientset: clientset,
+		settingsMgr:   settingsMgr,
+	}, writeCreds: false}
+	_, err := readBackend.CreateRepoCreds(t.Context(), creds)
+	require.NoError(t, err)
+
+	// Create write creds secret
+	writeBackend := &secretsRepositoryBackend{db: &db{
+		ns:            testNamespace,
+		kubeclientset: clientset,
+		settingsMgr:   settingsMgr,
+	}, writeCreds: true}
+	_, err = writeBackend.CreateRepoCreds(t.Context(), creds)
+	require.NoError(t, err)
+
+	// Assert both secrets exist
+	readSecretName := RepoURLToSecretName(credSecretPrefix, creds.URL, "")
+	writeSecretName := RepoURLToSecretName(credWriteSecretPrefix, creds.URL, "")
+
+	readSecret, err := clientset.CoreV1().Secrets(testNamespace).Get(t.Context(), readSecretName, metav1.GetOptions{})
+	require.NoError(t, err)
+	assert.Equal(t, common.LabelValueSecretTypeRepoCreds, readSecret.Labels[common.LabelKeySecretType])
+
+	writeSecret, err := clientset.CoreV1().Secrets(testNamespace).Get(t.Context(), writeSecretName, metav1.GetOptions{})
+	require.NoError(t, err)
+	assert.Equal(t, common.LabelValueSecretTypeRepoCredsWrite, writeSecret.Labels[common.LabelKeySecretType])
+}