Helm plugins #1105
Comments
|
Another question, how would you handle an application with multiple configuration types, i.e. the application is deployed with helm, and a set of values. And you also for the deployment of the app, want to deploy some CRD, for instance an istio rule. Do you deploy each of these seperately? |
Currently the only application source which can take advantage of these custom tools, are kustomize 1.0 applications with its secretGenerator feature, which allows execution of arbitrary commands to generate the secret values. NOTE: this feature is being removed in kustomize 2.0 due to security concerns.
For helm, installation of plugins would need to be done by custom building the repo server with the helm plugin installed. But to leverage these plugins, Argo CD needs to add support for running arbitrary commands/scripts to render the YAML. This feature is being tracked here: #701 |
|
I wonder if a way around this limitation for helm is to inject a wrapper script that does the decryption on the fly transparently to Argo and also run the helm tiller plugin. Basically replace the helm binary with a script that takes the args and passes them into helm with all of the plugins enabled. |
Yep, that would be a workaround until we support the ability to run custom commands. |
|
Sweet. Thanks. |
|
@jessesuen, I'd also like to know your suggestions on how to install a helm chart with a values file located in a git-crypt encrypted repo? I'd assume that this is a fairly common work pattern. |
|
I'm trying to use helm secrets with argocd as well. I tried to use a wrapper script (custom build on repoServer - added AWS env's for KMS access). When trying to sync the app I get this error - |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
I think this issue should stay open until custom binary support is added. Not sure if anyone agrees |
|
This should be fixed by the use of config management plugin. |
Any luck with this? I am struggling with utilizing helm secrets via plugin support (eks + kms oidc/rbac ) and the docs are lacking unfortunately, especially for the argocd-cm configmap needed for helm secrets to work :-( |
jannfis
added
component:config-management
argoproj#2558 Based on discussions from: argoproj#2558 argoproj#2789 argoproj#1105 argoproj#1153 I've spent a lot of time to put everything together to get integration with GCS working. I think it's worth to have documentation for it.
Your problem is probably that you install the helm plugin with root user instead of argocd . |
|
@toninis did you make this work? kubectl exec pio-argocd-server-b78c5b4fc-czmpx -- whoami
argocd
kubectl exec pio-argocd-server-b78c5b4fc-vswdh -- which helm
/usr/local/bin/helm
ka exec pio-argocd-server-b78c5b4fc-vswdh -- cat $(which helm)
#! /bin/sh
# my helm wrapper code
# the wrapper working here as helm default output is replaced by helm secrets default output
kubectl exec pio-argocd-server-b78c5b4fc-czmpx -- helm
GnuPG secrets encryption in Helm Charts
This plugin provides ability to encrypt/decrypt secrets files
to store in less secure places, before they are installed using
Helm.
To decrypt/encrypt/edit you need to initialize/first encrypt secrets with
sops - https://github.com/mozilla/sops
Available Commands:
enc Encrypt secrets file
dec Decrypt secrets file
view Print secrets decrypted
edit Edit secrets file and encrypt afterwards
clean Remove all decrypted files in specified directory (recursively)
install wrapper that decrypts secrets[.*].yaml files before running helm install
template wrapper that decrypts secrets[.*].yaml files before running helm template
upgrade wrapper that decrypts secrets[.*].yaml files before running helm upgrade
lint wrapper that decrypts secrets[.*].yaml files before running helm lint
diff wrapper that decrypts secrets[.*].yaml files before running helm diff
(diff is a helm plugin)But argocd is giving me My whole Dockerfile: FROM argoproj/argocd:v1.7.6
ARG SOPS_VERSION="v3.6.1"
ARG HELM_SECRETS_VERSION="2.0.2"
ARG SOPS_PGP_FP="141B69EE206943BA9A64E691A00C9B1A7DCB6D07"
ENV SOPS_PGP_FP=${SOPS_PGP_FP}
USER root
COPY helm-wrapper.sh /usr/local/bin/
RUN apt-get update && \
apt-get install -y \
curl \
gpg && \
apt-get clean && \
rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \
curl -o /usr/local/bin/sops -L https://github.com/mozilla/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux && \
chmod +x /usr/local/bin/sops && \
cd /usr/local/bin && \
mv helm helm.bin && \
mv helm2 helm2.bin && \
mv helm-wrapper.sh helm && \
ln helm helm2 && \
chmod +x helm helm2
USER argocd
RUN /usr/local/bin/helm.bin plugin install https://github.com/zendesk/helm-secrets --version ${HELM_SECRETS_VERSION}
ENV HELM_PLUGINS="/home/argocd/.local/share/helm/plugins/" |
|
So, I'm assuming including a helm wrapper script is still the only way to use an installed plugin? For example, 'helm secrets install'. |
|
So, I was able to get my helm wrapper script to work so that it executes helm2 secrets template when building the manifests to install. However, the resulting values are messed up. How are the values in the UI built? If I include helm charts and secrets.yaml, etc on my custom argocd image, I can do a helm template command that properly reads my secrets and spits out the expected manifests. |
We could use the helm secrets plugin without wrapper script. It is possible to specify secrets values like |
|
Hi, are there any updates on this issue? |
Hello,
I am looking at this tool and it looks well thought out. In looking at it, I have a couple of questions.
Any tips would be much appreciated. Thanks!
The text was updated successfully, but these errors were encountered: