refactor(argocd): migrate ArgoCD to NestJS

Signed-off-by: William Phetsinorath <william.phetsinorath-open@interieur.gouv.fr>

Author: shikanime

apps/server-nestjs/package.json

@@ -54,6 +54,7 @@
     "dotenv": "^16.4.7",
     "fastify": "^4.29.1",
     "fastify-keycloak-adapter": "2.3.2",
+    "js-yaml": "^4.1.1",
     "json-2-csv": "^5.5.7",
     "keycloak-connect": "^25.0.0",
     "mustache": "^4.2.0",
@@ -78,6 +79,7 @@
     "@nestjs/testing": "^11.0.1",
     "@types/express": "^5.0.0",
     "@types/jest": "^30.0.0",
+    "@types/js-yaml": "4.0.9",
     "@types/node": "^22.10.7",
     "@types/supertest": "^6.0.2",
     "@vitest/coverage-v8": "^2.1.8",

apps/server-nestjs/src/cpin-module/infrastructure/configuration/configuration.service.ts

@@ -34,6 +34,15 @@ export class ConfigurationService {
     = process.env.CONTACT_EMAIL
       ?? 'cloudpinative-relations@interieur.gouv.fr'
 
+  // argocd
+  argoNamespace = process.env.ARGO_NAMESPACE ?? 'argocd'
+  argocdUrl = process.env.ARGOCD_URL
+  argocdExtraRepositories = process.env.ARGOCD_EXTRA_REPOSITORIES
+
+  // dso
+  dsoEnvChartVersion = process.env.DSO_ENV_CHART_VERSION ?? 'dso-env-1.6.0'
+  dsoNsChartVersion = process.env.DSO_NS_CHART_VERSION ?? 'dso-ns-1.1.5'
+
   // plugins
   mockPlugins = process.env.MOCK_PLUGINS === 'true'
   projectRootDir = process.env.PROJECTS_ROOT_DIR

apps/server-nestjs/src/main.module.ts

@@ -5,6 +5,9 @@ import { ScheduleModule } from '@nestjs/schedule'
 import { CpinModule } from './cpin-module/cpin.module'
 import { IamModule } from './modules/iam/iam.module'
 import { KeycloakModule } from './modules/keycloak/keycloak.module'
+import { ArgoCDModule } from './modules/argocd/argocd.module'
+import { GitlabModule } from './modules/gitlab/gitlab.module'
+import { VaultModule } from './modules/vault/vault.module'
 
 // This module only exists to import other module.
 // « One module to rule them all, and in NestJs bind them »
@@ -13,6 +16,9 @@ import { KeycloakModule } from './modules/keycloak/keycloak.module'
     CpinModule,
     IamModule,
     KeycloakModule,
+    ArgoCDModule,
+    GitlabModule,
+    VaultModule,
     EventEmitterModule.forRoot(),
     ScheduleModule.forRoot(),
   ],

apps/server-nestjs/src/modules/argocd/argocd-controller.service.spec.ts

@@ -0,0 +1,169 @@
+import { describe, it, expect, beforeEach, vi } from 'vitest'
+import type { Mocked } from 'vitest'
+import { load } from 'js-yaml'
+import { ArgoCDControllerService } from './argocd-controller.service'
+import type { ArgoCDDatastoreService, ProjectWithDetails } from './argocd-datastore.service'
+import type { ConfigurationService } from '@/cpin-module/infrastructure/configuration/configuration.service'
+import type { GitlabService } from '../gitlab/gitlab.service'
+import type { VaultService } from '../vault/vault.service'
+
+const mockArgoCDDatastore = {
+  getAllProjects: vi.fn(),
+} as unknown as Mocked<ArgoCDDatastoreService>
+
+const mockConfigService = {
+  keycloakControllerPurgeOrphans: true,
+  argoNamespace: 'argocd',
+  argocdUrl: 'http://argocd',
+  argocdExtraRepositories: 'repo3',
+  dsoEnvChartVersion: 'dso-env-1.6.0',
+  dsoNsChartVersion: 'dso-ns-1.1.5',
+} as unknown as Mocked<ConfigurationService>
+
+const mockGitlabService = {
+  getOrCreateInfraProject: vi.fn(),
+  getPublicGroupUrl: vi.fn(),
+  getPublicRepoUrl: vi.fn(),
+  commitCreateOrUpdate: vi.fn(),
+  commitDelete: vi.fn(),
+  listFiles: vi.fn(),
+} as unknown as Mocked<GitlabService>
+
+const mockVaultService = {
+  getProjectValues: vi.fn(),
+} as unknown as Mocked<VaultService>
+
+describe('argoCDControllerService', () => {
+  let service: ArgoCDControllerService
+  let datastore: Mocked<ArgoCDDatastoreService>
+  let gitlabService: Mocked<GitlabService>
+  let vaultService: Mocked<VaultService>
+
+  beforeEach(() => {
+    service = new ArgoCDControllerService(
+      mockArgoCDDatastore,
+      mockConfigService,
+      mockGitlabService,
+      mockVaultService,
+    )
+    datastore = mockArgoCDDatastore
+    gitlabService = mockGitlabService
+    vaultService = mockVaultService
+    vi.clearAllMocks()
+  })
+
+  it('should be defined', () => {
+    expect(service).toBeDefined()
+  })
+
+  describe('reconcile', () => {
+    it('should sync project environments', async () => {
+      const mockProject = {
+        id: '123e4567-e89b-12d3-a456-426614174000',
+        slug: 'project-1',
+        name: 'Project 1',
+        environments: [
+          { id: '123e4567-e89b-12d3-a456-426614174001', name: 'dev', clusterId: 'c1', cpu: 1, gpu: 0, memory: 1, autosync: true },
+          { id: '123e4567-e89b-12d3-a456-426614174002', name: 'prod', clusterId: 'c1', cpu: 1, gpu: 0, memory: 1, autosync: true },
+        ],
+        clusters: [
+          { id: 'c1', label: 'cluster-1', zone: { slug: 'zone-1' } },
+        ],
+        repositories: [
+          {
+            id: 'repo-1',
+            internalRepoName: 'infra-repo',
+            url: 'http://gitlab/infra-repo',
+            isInfra: true,
+          },
+        ],
+        plugins: [{ pluginName: 'argocd', key: 'extraRepositories', value: 'repo2' }],
+      } as unknown as ProjectWithDetails
+
+      datastore.getAllProjects.mockResolvedValue([mockProject])
+      gitlabService.getOrCreateInfraProject.mockResolvedValue({ id: 100, http_url_to_repo: 'http://gitlab/infra' })
+      gitlabService.getPublicGroupUrl.mockResolvedValue('http://gitlab/group')
+      gitlabService.getPublicRepoUrl.mockResolvedValue('http://gitlab/infra-repo')
+      gitlabService.listFiles.mockResolvedValue([])
+      vaultService.getProjectValues.mockResolvedValue({ secret: 'value' })
+
+      const results = await (service as any).reconcile()
+
+      expect(results).toHaveLength(3) // 2 envs + 1 cleanup (1 zone)
+
+      // Verify Gitlab calls
+      expect(gitlabService.commitCreateOrUpdate).toHaveBeenCalledTimes(2)
+
+      const calls = gitlabService.commitCreateOrUpdate.mock.calls
+      const devCall = calls.find(c => c[2] === 'Project 1/cluster-1/dev/values.yaml')
+      expect(devCall).toBeDefined()
+
+      const content = load(devCall![1]) as any
+      expect(content).toMatchObject({
+        common: {
+          'dso/project': 'Project 1',
+          'dso/project.slug': 'project-1',
+          'dso/environment': 'dev',
+        },
+        argocd: {
+          namespace: 'argocd',
+          project: expect.stringMatching(/^project-1-dev-[a-f0-9]{4}$/),
+        },
+        environment: {
+          valueFileRepository: 'http://gitlab/infra',
+          valueFilePath: 'Project 1/cluster-1/dev/values.yaml',
+          roGroup: '/project-project-1/console/dev/RO',
+          rwGroup: '/project-project-1/console/dev/RW',
+        },
+        application: {
+          quota: {
+            cpu: 1,
+            gpu: 0,
+            memory: '1Gi',
+          },
+          sourceRepositories: expect.arrayContaining([
+            expect.stringContaining('repo3'),
+            expect.stringContaining('repo2'),
+            expect.stringContaining('http://gitlab/group'),
+          ]),
+          destination: {
+            namespace: expect.any(String),
+            name: 'cluster-1',
+          },
+          autosync: true,
+          vault: { secret: 'value' },
+          repositories: [
+            {
+              repoURL: 'http://gitlab/infra-repo',
+              targetRevision: 'HEAD',
+              path: '.',
+              valueFiles: [],
+            },
+          ],
+        },
+      })
+    })
+
+    it('should handle errors gracefully', async () => {
+      const mockProject = {
+        id: '123e4567-e89b-12d3-a456-426614174000',
+        slug: 'project-1',
+        name: 'Project 1',
+        environments: [{ id: '123e4567-e89b-12d3-a456-426614174001', name: 'dev', clusterId: 'c1', cpu: 1, gpu: 0, memory: 1, autosync: true }],
+        clusters: [
+          { id: 'c1', label: 'cluster-1', zone: { slug: 'zone-1' } },
+        ],
+      } as unknown as ProjectWithDetails
+
+      datastore.getAllProjects.mockResolvedValue([mockProject])
+      gitlabService.getOrCreateInfraProject.mockRejectedValue(new Error('Sync failed'))
+
+      const results = await (service as any).reconcile()
+
+      // 1 env (fails) + 1 cleanup (fails because getOrCreateInfraProject fails)
+      expect(results).toHaveLength(2)
+      const failed = results.filter((r: any) => r.status === 'rejected')
+      expect(failed).toHaveLength(2)
+    })
+  })
+})

apps/server-nestjs/src/modules/argocd/argocd-controller.service.ts

@@ -0,0 +1,148 @@
+import type { OnModuleInit } from '@nestjs/common'
+import { Injectable, Logger } from '@nestjs/common'
+import { OnEvent } from '@nestjs/event-emitter'
+import { Cron, CronExpression } from '@nestjs/schedule'
+import { dump } from 'js-yaml'
+
+import type { ArgoCDDatastoreService, ProjectWithDetails } from './argocd-datastore.service'
+import type { ConfigurationService } from '@/cpin-module/infrastructure/configuration/configuration.service'
+import type { GitlabService } from '../gitlab/gitlab.service'
+import type { VaultService } from '../vault/vault.service'
+import {
+  formatEnvironmentValuesFilePath,
+  formatValues,
+  getDistinctZones,
+} from './argocd.utils'
+
+@Injectable()
+export class ArgoCDControllerService implements OnModuleInit {
+  private readonly logger = new Logger(ArgoCDControllerService.name)
+
+  constructor(
+    private readonly argoCDDatastore: ArgoCDDatastoreService,
+    private readonly configService: ConfigurationService,
+    private readonly gitlabService: GitlabService,
+    private readonly vaultService: VaultService,
+  ) {
+    this.logger.log('ArgoCDControllerService initialized')
+  }
+
+  onModuleInit() {
+    this.handleCron()
+  }
+
+  @OnEvent('project.upsert')
+  async handleUpsert(project: ProjectWithDetails) {
+    this.logger.log(`Handling project upsert for ${project.slug}`)
+    return this.reconcile()
+  }
+
+  @OnEvent('project.delete')
+  async handleDelete(project: ProjectWithDetails) {
+    this.logger.log(`Handling project delete for ${project.slug}`)
+    return this.reconcile()
+  }
+
+  @Cron(CronExpression.EVERY_HOUR)
+  async handleCron() {
+    this.logger.log('Starting ArgoCD reconciliation')
+    await this.reconcile()
+  }
+
+  private async reconcile() {
+    const projects = await this.argoCDDatastore.getAllProjects()
+    const results: PromiseSettledResult<void>[] = []
+
+    const projectResults = await Promise.all(projects.map(async (project) => {
+      const pResults: PromiseSettledResult<void>[] = []
+
+      const ensureResults = await Promise.allSettled(
+        project.environments.map(env => this.ensureValues(project, env)),
+      )
+      pResults.push(...ensureResults)
+
+      const cleanupResults = await this.cleanupStaleValues(project)
+      pResults.push(...cleanupResults)
+
+      return pResults
+    }))
+
+    results.push(...projectResults.flat())
+
+    results.forEach((result) => {
+      if (result.status === 'rejected') {
+        this.logger.error(`Reconciliation failed: ${result.reason}`)
+      }
+    })
+
+    return results
+  }
+
+  private async cleanupStaleValues(project: ProjectWithDetails) {
+    const zones = getDistinctZones(project)
+    return Promise.allSettled(zones.map(async (zoneSlug) => {
+      const infraProject = await this.gitlabService.getOrCreateInfraProject(zoneSlug)
+      const existingFiles = await this.gitlabService.listFiles(infraProject.id, {
+        path: `${project.name}/`,
+        recursive: true,
+      })
+
+      const neededFiles = project.environments
+        .filter((env) => {
+          const cluster = project.clusters.find(c => c.id === env.clusterId)
+          return cluster?.zone.slug === zoneSlug
+        })
+        .map((env) => {
+          const cluster = project.clusters.find(c => c.id === env.clusterId)!
+          return formatEnvironmentValuesFilePath(project, cluster, env)
+        })
+
+      const filesToDelete: string[] = []
+      for (const existingFile of existingFiles) {
+        if (
+          existingFile.name === 'values.yaml'
+          && !neededFiles.includes(existingFile.path)
+        ) {
+          filesToDelete.push(existingFile.path)
+        }
+      }
+
+      if (filesToDelete.length > 0) {
+        await this.gitlabService.commitDelete(infraProject.id, filesToDelete)
+      }
+    }))
+  }
+
+  async ensureValues(
+    project: ProjectWithDetails,
+    environment: ProjectWithDetails['environments'][number],
+  ) {
+    const vaultValues = await this.vaultService.getProjectValues(project.id)
+    const cluster = project.clusters.find(c => c.id === environment.clusterId)
+    if (!cluster) throw new Error(`Cluster not found for environment ${environment.id}`)
+
+    const infraProject = await this.gitlabService.getOrCreateInfraProject(cluster.zone.slug)
+    const valueFilePath = formatEnvironmentValuesFilePath(project, cluster, environment)
+
+    const repo = project.repositories.find(r => r.isInfra)
+    if (!repo) throw new Error(`Infra repository not found for project ${project.id}`)
+    const repoUrl = await this.gitlabService.getPublicRepoUrl(repo.internalRepoName)
+
+    const values = formatValues({
+      project,
+      environment,
+      cluster,
+      gitlabPublicGroupUrl: await this.gitlabService.getPublicGroupUrl(),
+      argocdExtraRepositories: this.configService.argocdExtraRepositories,
+      infraProject,
+      valueFilePath,
+      repoUrl,
+      vaultValues,
+      argoNamespace: this.configService.argoNamespace,
+      envChartVersion: this.configService.dsoEnvChartVersion,
+      nsChartVersion: this.configService.dsoNsChartVersion,
+    })
+
+    await this.gitlabService.commitCreateOrUpdate(infraProject.id, dump(values), valueFilePath)
+  }
+}