From df476ee434dcac99b864e5123ce4e89a920e94a9 Mon Sep 17 00:00:00 2001 From: Edward Cheng Date: Mon, 15 Jul 2024 11:54:43 +1000 Subject: [PATCH] test in app secret decrypt and import --- scripts/argocd-values.yaml | 81 +++++++++++++++++++++++++++++++++++++- 1 file changed, 80 insertions(+), 1 deletion(-) diff --git a/scripts/argocd-values.yaml b/scripts/argocd-values.yaml index 702b03c..c9dcff4 100644 --- a/scripts/argocd-values.yaml +++ b/scripts/argocd-values.yaml @@ -16,7 +16,11 @@ configs: generate: command: [sh, -c] args: ["helm template --release-name release-name . > all.yaml && kustomize build"] - helm.valuesFileSchemes: "secrets" + helm.valuesFileSchemes: >- + secrets+gpg-import, secrets+gpg-import-kubernetes, + secrets+age-import, secrets+age-import-kubernetes, + secrets, secrets+literal, + https params: server.insecure: true @@ -28,6 +32,81 @@ redis-ha: enabled: true server: + env: + - name: HELM_PLUGINS + value: /gitops-tools/helm-plugins/ + - name: HELM_SECRETS_CURL_PATH + value: /gitops-tools/curl + - name: HELM_SECRETS_SOPS_PATH + value: /gitops-tools/sops + - name: HELM_SECRETS_VALS_PATH + value: /gitops-tools/vals + - name: HELM_SECRETS_KUBECTL_PATH + value: /gitops-tools/kubectl + - name: HELM_SECRETS_BACKEND + value: sops + - name: HELM_SECRETS_VALUES_ALLOW_SYMLINKS + value: "false" + - name: HELM_SECRETS_VALUES_ALLOW_ABSOLUTE_PATH + value: "true" + - name: HELM_SECRETS_VALUES_ALLOW_PATH_TRAVERSAL + value: "false" + - name: HELM_SECRETS_WRAPPER_ENABLED + value: "true" + - name: HELM_SECRETS_DECRYPT_SECRETS_IN_TMP_DIR + value: "true" + - name: HELM_SECRETS_HELM_PATH + value: /usr/local/bin/helm + - name: SOPS_AGE_KEY_FILE + # Multiple keys can be separated by space + value: /helm-secrets-private-keys/age.agekey + initContainers: + - name: download-tools + image: alpine:latest + imagePullPolicy: IfNotPresent + command: [ sh, -ec ] + env: + - name: HELM_SECRETS_VERSION + value: "4.6.0" + - name: KUBECTL_VERSION + value: "1.30.2" + - name: VALS_VERSION + value: "0.37.3" + - name: SOPS_VERSION + value: "3.9.0" + args: + - | + mkdir -p /gitops-tools/helm-plugins + + GO_ARCH=$(uname -m | sed -e 's/x86_64/amd64/') + wget -qO /gitops-tools/curl https://github.com/moparisthebest/static-curl/releases/latest/download/curl-${GO_ARCH} + + GO_ARCH=$(uname -m | sed -e 's/x86_64/amd64/' -e 's/\(arm\)\(64\)\?.*/\1\2/' -e 's/aarch64$/arm64/') && \ + wget -qO /gitops-tools/kubectl https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${GO_ARCH}/kubectl + wget -qO /gitops-tools/sops https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux.${GO_ARCH} + wget -qO- https://github.com/helmfile/vals/releases/download/v${VALS_VERSION}/vals_${VALS_VERSION}_linux_${GO_ARCH}.tar.gz | tar zxv -C /gitops-tools vals + wget -qO- https://github.com/jkroepke/helm-secrets/releases/download/v${HELM_SECRETS_VERSION}/helm-secrets.tar.gz | tar -C /gitops-tools/helm-plugins -xzf- + + chmod +x /gitops-tools/* + cp /gitops-tools/helm-plugins/helm-secrets/scripts/wrapper/helm.sh /gitops-tools/helm + volumeMounts: + - mountPath: /gitops-tools + name: gitops-tools + volumes: + - name: gitops-tools + emptyDir: { } + # kubectl create secret generic helm-secrets-private-keys --from-file=key.asc=assets/gpg/private2.gpg + - name: helm-secrets-private-keys + secret: + secretName: sops-age + volumeMounts: + - mountPath: /gitops-tools + name: gitops-tools + - mountPath: /usr/local/sbin/helm + subPath: helm + name: gitops-tools + - mountPath: /helm-secrets-private-keys/ + name: helm-secrets-private-keys autoscaling: enabled: true minReplicas: 2