feat: manage clusters via proxy (#20374)

* feat: proxy support

Signed-off-by: pashakostohrys <pavel@codefresh.io>

* feat: proxy support

Signed-off-by: pashakostohrys <pavel@codefresh.io>

* feat: proxy support

Signed-off-by: pashakostohrys <pavel@codefresh.io>

* fix linter

Signed-off-by: pashakostohrys <pavel@codefresh.io>

* small improvements

Signed-off-by: pashakostohrys <pavel@codefresh.io>

* add cluster test

Signed-off-by: pashakostohrys <pavel@codefresh.io>

* fix linter

Signed-off-by: pashakostohrys <pavel@codefresh.io>

* change error message

Signed-off-by: pashakostohrys <pavel@codefresh.io>

* override always will change proxy url

Signed-off-by: pashakostohrys <pavel@codefresh.io>

---------

Signed-off-by: pashakostohrys <pavel@codefresh.io>

Author: pasha-codefresh

assets/swagger.json

@@ -2,6 +2,7 @@ package commands
 
 import (
 	"fmt"
+	"net/http"
 	"os"
 	"regexp"
 	"strings"
@@ -106,6 +107,11 @@ func NewClusterAddCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clie
 			contextName := args[0]
 			conf, err := getRestConfig(pathOpts, contextName)
 			errors.CheckError(err)
+			if clusterOpts.ProxyUrl != "" {
+				u, err := argoappv1.ParseProxyUrl(clusterOpts.ProxyUrl)
+				errors.CheckError(err)
+				conf.Proxy = http.ProxyURL(u)
+			}
 			clientset, err := kubernetes.NewForConfig(conf)
 			errors.CheckError(err)
 			managerBearerToken := ""
@@ -191,6 +197,7 @@ func NewClusterAddCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clie
 	command.Flags().BoolVarP(&skipConfirmation, "yes", "y", false, "Skip explicit confirmation")
 	command.Flags().StringArrayVar(&labels, "label", nil, "Set metadata labels (e.g. --label key=value)")
 	command.Flags().StringArrayVar(&annotations, "annotation", nil, "Set metadata annotations (e.g. --annotation key=value)")
+	command.Flags().StringVar(&clusterOpts.ProxyUrl, "proxy-url", "", "use proxy to connect cluster")
 	cmdutil.AddClusterFlags(command, &clusterOpts)
 	return command
 }
@@ -374,6 +381,7 @@ func printClusterDetails(clusters []argoappv1.Cluster) {
 		fmt.Printf("  oAuth authentication:  %v\n", cluster.Config.BearerToken != "")
 		fmt.Printf("  AWS authentication:    %v\n", cluster.Config.AWSAuthConfig != nil)
 		fmt.Printf("\nDisable compression: %v\n", cluster.Config.DisableCompression)
+		fmt.Printf("\nUse proxy: %v\n", cluster.Config.ProxyUrl != "")
 		fmt.Println()
 	}
 }

cmd/argocd/commands/cluster.go

@@ -105,7 +105,13 @@ func NewCluster(name string, namespaces []string, clusterResources bool, conf *r
 		Labels:      labels,
 		Annotations: annotations,
 	}
-
+	// it's a tradeoff to get proxy url from rest config
+	// more detail: https://github.com/kubernetes/kubernetes/pull/81443
+	if conf.Proxy != nil {
+		if url, err := conf.Proxy(nil); err == nil {
+			clst.Config.ProxyUrl = url.String()
+		}
+	}
 	// Bearer token will preferentially be used for auth if present,
 	// Even in presence of key/cert credentials
 	// So set bearer token only if the key/cert data is absent
@@ -160,6 +166,7 @@ type ClusterOptions struct {
 	ExecProviderInstallHint string
 	ClusterEndpoint         string
 	DisableCompression      bool
+	ProxyUrl                string
 }
 
 // InClusterEndpoint returns true if ArgoCD should reference the in-cluster

cmd/util/cluster.go

@@ -567,6 +567,8 @@ execProviderConfig:
     }
     apiVersion: string
     installHint: string
+# Proxy URL for the kubernetes client to use when connecting to the cluster api server
+proxyUrl: string
 # Transport layer security configuration settings
 tlsClientConfig:
     # Base64 encoded PEM-encoded bytes (typically read from a client certificate file).

docs/operator-manual/declarative-setup.md

@@ -7,6 +7,7 @@ import (
 	"math"
 	"net"
 	"net/http"
+	"net/url"
 	"os"
 	"path/filepath"
 	"reflect"
@@ -2042,6 +2043,9 @@ type ClusterConfig struct {
 
 	// DisableCompression bypasses automatic GZip compression requests to the server.
 	DisableCompression bool `json:"disableCompression,omitempty" protobuf:"bytes,7,opt,name=disableCompression"`
+
+	// ProxyURL is the URL to the proxy to be used for all requests send to the server
+	ProxyUrl string `json:"proxyUrl,omitempty" protobuf:"bytes,8,opt,name=proxyUrl"`
 }
 
 // TLSClientConfig contains settings to enable transport layer security
@@ -3105,6 +3109,9 @@ func SetK8SConfigDefaults(config *rest.Config) error {
 		DisableCompression:  config.DisableCompression,
 		IdleConnTimeout:     K8sTCPIdleConnTimeout,
 	})
+	if config.Proxy != nil {
+		transport.Proxy = config.Proxy
+	}
 	tr, err := rest.HTTPWrappersForConfig(config, transport)
 	if err != nil {
 		return err
@@ -3128,6 +3135,20 @@ func SetK8SConfigDefaults(config *rest.Config) error {
 	return nil
 }
 
+// ParseProxyUrl returns a parsed url and verifies that schema is correct
+func ParseProxyUrl(proxyUrl string) (*url.URL, error) {
+	u, err := url.Parse(proxyUrl)
+	if err != nil {
+		return nil, err
+	}
+	switch u.Scheme {
+	case "http", "https", "socks5":
+	default:
+		return nil, fmt.Errorf("Failed to parse proxy url, unsupported scheme %q, must be http, https, or socks5", u.Scheme)
+	}
+	return u, nil
+}
+
 // RawRestConfig returns a go-client REST config from cluster that might be serialized into the file using kube.WriteKubeConfig method.
 func (c *Cluster) RawRestConfig() (*rest.Config, error) {
 	var config *rest.Config
@@ -3215,6 +3236,13 @@ func (c *Cluster) RawRestConfig() (*rest.Config, error) {
 	if err != nil {
 		return nil, fmt.Errorf("Unable to create K8s REST config: %w", err)
 	}
+	if c.Config.ProxyUrl != "" {
+		u, err := ParseProxyUrl(c.Config.ProxyUrl)
+		if err != nil {
+			return nil, fmt.Errorf("Unable to create K8s REST config, can`t parse proxy url: %w", err)
+		}
+		config.Proxy = http.ProxyURL(u)
+	}
 	config.DisableCompression = c.Config.DisableCompression
 	config.Timeout = K8sServerSideTimeout
 	config.QPS = K8sClientConfigQPS

docs/user-guide/commands/argocd_cluster_add.md

@@ -4265,3 +4265,35 @@ func TestAppProject_ValidateDestinationServiceAccount(t *testing.T) {
 		}
 	}
 }
+
+func TestCluster_ParseProxyUrl(t *testing.T) {
+	testData := []struct {
+		url            string
+		expectedErrMsg string
+	}{
+		{
+			url:            "https://192.168.99.100:8443",
+			expectedErrMsg: "",
+		},
+		{
+			url:            "test://!abc",
+			expectedErrMsg: "Failed to parse proxy url, unsupported scheme \"test\", must be http, https, or socks5",
+		},
+		{
+			url:            "http://192.168.99.100:8443",
+			expectedErrMsg: "",
+		},
+		{
+			url:            "socks5://192.168.99.100:8443",
+			expectedErrMsg: "",
+		},
+	}
+	for _, data := range testData {
+		_, err := ParseProxyUrl(data.url)
+		if data.expectedErrMsg == "" {
+			require.NoError(t, err)
+		} else {
+			require.ErrorContains(t, err, data.expectedErrMsg)
+		}
+	}
+}