argoproj · arnouthoebreckx · Sep 21, 2024
@@ -199,11 +199,19 @@ func (g *PullRequestGenerator) selectServiceProvider(ctx context.Context, genera
 	}
 	if generatorConfig.AzureDevOps != nil {
 		providerConfig := generatorConfig.AzureDevOps
+		var caCerts []byte
+		var scmError error
+		if providerConfig.CARef != nil {
+			caCerts, scmError = utils.GetConfigMapData(ctx, g.client, providerConfig.CARef, applicationSetInfo.Namespace)
+			if scmError != nil {
+				return nil, fmt.Errorf("error fetching CA certificates from ConfigMap: %w", scmError)
+			}
+		}
 		token, err := utils.GetSecretRef(ctx, g.client, providerConfig.TokenRef, applicationSetInfo.Namespace)
 		if err != nil {
 			return nil, fmt.Errorf("error fetching Secret token: %w", err)
 		}
-		return pullrequest.NewAzureDevOpsService(ctx, token, providerConfig.API, providerConfig.Organization, providerConfig.Project, providerConfig.Repo, providerConfig.Labels)
+		return pullrequest.NewAzureDevOpsService(ctx, token, providerConfig.API, providerConfig.Organization, providerConfig.Project, providerConfig.Repo, providerConfig.Labels, g.scmRootCAPath, providerConfig.Insecure, caCerts)
 	}
 	return nil, fmt.Errorf("no Pull Request provider implementation configured")
 }

@@ -200,11 +200,20 @@ func (g *SCMProviderGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 			return nil, fmt.Errorf("error initializing Bitbucket Server service: %w", scmError)
 		}
 	} else if providerConfig.AzureDevOps != nil {
-		token, err := utils.GetSecretRef(ctx, g.client, providerConfig.AzureDevOps.AccessTokenRef, applicationSetInfo.Namespace)
+		providerConfig := providerConfig.AzureDevOps
+		var caCerts []byte
+		var scmError error
+		if providerConfig.CARef != nil {
+			caCerts, scmError = utils.GetConfigMapData(ctx, g.client, providerConfig.CARef, applicationSetInfo.Namespace)
+			if scmError != nil {
+				return nil, fmt.Errorf("error fetching CA certificates from ConfigMap: %w", scmError)
+			}
+		}
+		token, err := utils.GetSecretRef(ctx, g.client, providerConfig.AccessTokenRef, applicationSetInfo.Namespace)
 		if err != nil {
 			return nil, fmt.Errorf("error fetching Azure Devops access token: %w", err)
 		}
-		provider, err = scm_provider.NewAzureDevOpsProvider(ctx, token, providerConfig.AzureDevOps.Organization, providerConfig.AzureDevOps.API, providerConfig.AzureDevOps.TeamProject, providerConfig.AzureDevOps.AllBranches)
+		provider, err = scm_provider.NewAzureDevOpsProvider(ctx, token, providerConfig.Organization, providerConfig.API, providerConfig.TeamProject, providerConfig.AllBranches, g.scmRootCAPath, providerConfig.Insecure, caCerts)
 		if err != nil {
 			return nil, fmt.Errorf("error initializing Azure Devops service: %w", err)
 		}

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/argoproj/argo-cd/v2/applicationset/utils"
 	"github.com/microsoft/azure-devops-go-api/azuredevops"
 	core "github.com/microsoft/azure-devops-go-api/azuredevops/core"
 	git "github.com/microsoft/azure-devops-go-api/azuredevops/git"
@@ -41,7 +42,7 @@ var (
 	_ AzureDevOpsClientFactory = &devopsFactoryImpl{}
 )
 
-func NewAzureDevOpsService(ctx context.Context, token, url, organization, project, repo string, labels []string) (PullRequestService, error) {
+func NewAzureDevOpsService(ctx context.Context, token, url, organization, project, repo string, labels []string, scmRootCAPath string, insecure bool, caCerts []byte) (PullRequestService, error) {
 	organizationUrl := buildURL(url, organization)
 
 	var connection *azuredevops.Connection
@@ -51,6 +52,9 @@ func NewAzureDevOpsService(ctx context.Context, token, url, organization, projec
 		connection = azuredevops.NewPatConnection(organizationUrl, token)
 	}
 
+	tlsConfig := utils.GetTlsConfig(scmRootCAPath, insecure, caCerts)
+	connection.TlsConfig = tlsConfig
+
 	return &AzureDevOpsService{
 		clientFactory: &devopsFactoryImpl{connection: connection},
 		project:       project,

@@ -7,6 +7,7 @@ import (
 	netUrl "net/url"
 	"strings"
 
+	"github.com/argoproj/argo-cd/v2/applicationset/utils"
 	"github.com/google/uuid"
 	"github.com/microsoft/azure-devops-go-api/azuredevops"
 	azureGit "github.com/microsoft/azure-devops-go-api/azuredevops/git"
@@ -57,7 +58,7 @@ var (
 	_ AzureDevOpsClientFactory = &devopsFactoryImpl{}
 )
 
-func NewAzureDevOpsProvider(ctx context.Context, accessToken string, org string, url string, project string, allBranches bool) (*AzureDevOpsProvider, error) {
+func NewAzureDevOpsProvider(ctx context.Context, accessToken string, org string, url string, project string, allBranches bool, scmRootCAPath string, insecure bool, caCerts []byte) (*AzureDevOpsProvider, error) {
 	if accessToken == "" {
 		return nil, fmt.Errorf("no access token provided")
 	}
@@ -68,6 +69,8 @@ func NewAzureDevOpsProvider(ctx context.Context, accessToken string, org string,
 	}
 
 	connection := azuredevops.NewPatConnection(devOpsURL, accessToken)
+	tlsConfig := utils.GetTlsConfig(scmRootCAPath, insecure, caCerts)
+	connection.TlsConfig = tlsConfig
 
 	return &AzureDevOpsProvider{organization: org, teamProject: project, accessToken: accessToken, clientFactory: &devopsFactoryImpl{connection: connection}, allBranches: allBranches}, nil
 }

@@ -322,6 +322,10 @@ spec:
 * `tokenRef`: A `Secret` name and key containing the Azure DevOps access token to use for requests. If not specified, will make anonymous requests which have a lower rate limit and can only see public repositories. (Optional)
 * `labels`: Filter the PRs to those containing **all** of the labels listed. (Optional)
 
+In case self-signed Azure DevOps certificates, the following options can be usefully:
+* `insecure`: By default (false) - Skip checking the validity of the SCM's certificate - useful for self-signed TLS certificates.
+* `caRef`: Optional `ConfigMap` name and key containing the Azure DevOps certificates to trust - useful for self-signed TLS certificates. Possibly reference the ArgoCD CM holding the trusted certs. Will be concatenated with the ArgoCD trusted CM.
+
 ## Filters
 
 Filters allow selecting which pull requests to generate for. Each filter can declare one or more conditions, all of which must pass. If multiple filters are present, any can match for a repository to be included. If no filters are specified, all pull requests will be processed.

@@ -263,6 +263,10 @@ spec:
 * `api`: Optional. URL to Azure DevOps. If not set, `https://dev.azure.com` is used.
 * `allBranches`: Optional, default `false`. If `true`, scans every branch of eligible repositories. If `false`, check only the default branch of the eligible repositories.
 
+In case self-signed Azure DevOps certificates, the following options can be usefully:
+* `insecure`: By default (false) - Skip checking the validity of the SCM's certificate - useful for self-signed TLS certificates.
+* `caRef`: Optional `ConfigMap` name and key containing the Azure DevOps certificates to trust - useful for self-signed TLS certificates. Possibly reference the ArgoCD CM holding the trusted certs. Will be concatenated with the ArgoCD trusted CM.
+
 ## Bitbucket Cloud
 
 The Bitbucket mode uses the Bitbucket API V2 to scan a workspace in bitbucket.org.