superorbital · jmcshane · Aug 10, 2023
diff --git a/reposerver/askpass/server.go b/reposerver/askpass/server.go
@@ -11,6 +11,8 @@ import (
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 
+	log "github.com/sirupsen/logrus"
+
 	"github.com/argoproj/argo-cd/v2/util/git"
 	"github.com/argoproj/argo-cd/v2/util/io"
 )
@@ -34,6 +36,7 @@ func NewServer() *server {
 }
 
 func (s *server) GetCredentials(_ context.Context, q *CredentialsRequest) (*CredentialsResponse, error) {
+	log.Infof("Received GetCredentials request with nonce: %s", q.Nonce)
 	if q.Nonce == "" {
 		return nil, status.Errorf(codes.InvalidArgument, "missing nonce")
 	}

diff --git a/reposerver/repository/repository.go b/reposerver/repository/repository.go
@@ -1813,7 +1813,7 @@ func makeJsonnetVm(appPath string, repoRoot string, sourceJsonnet v1alpha1.Appli
 	return vm, nil
 }
 
-func getPluginEnvs(env *v1alpha1.Env, q *apiclient.ManifestRequest, creds git.Creds) ([]string, error) {
+func getPluginEnvs(env *v1alpha1.Env, q *apiclient.ManifestRequest, creds git.Creds) ([]string, io.Closer, error) {
 	envVars := env.Environ()
 	envVars = append(envVars, "KUBE_VERSION="+text.SemVer(q.KubeVersion))
 	envVars = append(envVars, "KUBE_API_VERSIONS="+strings.Join(q.ApiVersions, ","))
@@ -1822,22 +1822,23 @@ func getPluginEnvs(env *v1alpha1.Env, q *apiclient.ManifestRequest, creds git.Cr
 }
 
 // getPluginParamEnvs gets environment variables for plugin parameter announcement generation.
-func getPluginParamEnvs(envVars []string, plugin *v1alpha1.ApplicationSourcePlugin, creds git.Creds) ([]string, error) {
+func getPluginParamEnvs(envVars []string, plugin *v1alpha1.ApplicationSourcePlugin, creds git.Creds) ([]string, io.Closer, error) {
+	var credCloser io.Closer
 	env := envVars
 	if creds != nil {
 		closer, environ, err := creds.Environ()
 		if err != nil {
-			return nil, err
+			return nil, nil, err
 		}
-		defer func() { _ = closer.Close() }()
+		credCloser = closer
 		env = append(env, environ...)
 	}
 
 	parsedEnv := make(v1alpha1.Env, len(env))
 	for i, v := range env {
 		parsedVar, err := v1alpha1.NewEnvEntry(v)
 		if err != nil {
-			return nil, fmt.Errorf("failed to parse env vars")
+			return nil, credCloser, fmt.Errorf("failed to parse env vars")
 		}
 		parsedEnv[i] = parsedVar
 	}
@@ -1850,17 +1851,20 @@ func getPluginParamEnvs(envVars []string, plugin *v1alpha1.ApplicationSourcePlug
 		}
 		paramEnv, err := plugin.Parameters.Environ()
 		if err != nil {
-			return nil, fmt.Errorf("failed to generate env vars from parameters: %w", err)
+			return nil, credCloser, fmt.Errorf("failed to generate env vars from parameters: %w", err)
 		}
 		env = append(env, paramEnv...)
 	}
 
-	return env, nil
+	return env, credCloser, nil
 }
 
 func runConfigManagementPluginSidecars(ctx context.Context, appPath, repoPath, pluginName string, envVars *v1alpha1.Env, q *apiclient.ManifestRequest, creds git.Creds, tarDoneCh chan<- bool, tarExcludedGlobs []string) ([]*unstructured.Unstructured, error) {
 	// compute variables.
-	env, err := getPluginEnvs(envVars, q, creds)
+	env, closer, err := getPluginEnvs(envVars, q, creds)
+	if closer != nil {
+		defer func() { _ = closer.Close() }()
+	}
 	if err != nil {
 		return nil, err
 	}
@@ -2111,7 +2115,10 @@ func populatePluginAppDetails(ctx context.Context, res *apiclient.RepoAppDetails
 		fmt.Sprintf("ARGOCD_APP_SOURCE_TARGET_REVISION=%s", q.Source.TargetRevision),
 	}
 
-	env, err := getPluginParamEnvs(envVars, q.Source.Plugin, creds)
+	env, closer, err := getPluginParamEnvs(envVars, q.Source.Plugin, creds)
+	if closer != nil {
+		defer func() { _ = closer.Close() }()
+	}
 	if err != nil {
 		return fmt.Errorf("failed to get env vars for plugin: %w", err)
 	}

diff --git a/util/git/creds.go b/util/git/creds.go
@@ -385,9 +385,12 @@ func (g GitHubAppCreds) Environ() (io.Closer, []string, error) {
 		env = append(env, fmt.Sprintf("GIT_SSL_KEY=%s", keyFile.Name()))
 
 	}
+	log.Debugf("Adding app creds to the credentials store. Username: %s, Password: %s", githubAccessTokenUsername, token)
 	nonce := g.store.Add(githubAccessTokenUsername, token)
+	log.Debugf("Stored specified creds with nonce: %s", nonce)
 	env = append(env, getGitAskPassEnv(nonce)...)
 	return argoioutils.NewCloser(func() error {
+		log.Debugf("Removing specified creds with nonce: %s", nonce)
 		g.store.Remove(nonce)
 		return httpCloser.Close()
 	}), env, nil