Feature request: generate [[glob] [...]]

argoproj-labs / argocd-vault-plugin

An Argo CD plugin to retrieve secrets from Secret Management tools and inject them into Kubernetes secrets

https://argocd-vault-plugin.readthedocs.io

Apache License 2.0

804 stars 189 forks source link

Feature request: generate [[glob] [...]] #336

Open sspreitzer opened 2 years ago

sspreitzer commented 2 years ago

This feature request is to solve the problem of paths with mixed content, which fails the argocd-vault-plugin generate command. Some content may not be Kubernetes manifests and thus leading the command to fail.

A solution could be to accept a list of globs instead of a single path. Eg:

argocd-vault-plugin './**/*{.yml,.yaml,.json}'

Right now this can probably achieved with (untested):

/bin/bash +O globstar -c 'cat ./**/*.yml | argocd-vault-plugin generate -'

For reference, there is a Golang glob implementation available; https://pkg.go.dev/github.com/gobwas/glob

sspreitzer commented 2 years ago

Atm. we use this:

            configManagementPlugins: |
              - name: argocd-vault-plugin-helm
                init:
                  command: ['bash', '-c']
                  args: ["helm dependency build"]
                generate:
                  command: ['bash', '-c']
                  args: ['helm template ${HELM_RELEASE_NAME:-${ARGOCD_APP_NAME}} . --values <(echo "${HELM_VALUES}") --include-crds ${HELM_ARGS} | argocd-vault-plugin generate -']
              - name: argocd-vault-plugin
                generate:
                  command: ['bash', '-c']
                  args: ['find ${DIRECTORY:-.} ${FINDOPTS:--regextype egrep -iregex ''.*\.(yml|yaml|json)''} -printf ''---\n'' -exec cat {} \; | argocd-vault-plugin generate -']

Due to unkown reason, yaml single quote escaping does not work properly and the ENV variable hast to be supplied as: (This config excludes directories and files that start with a dot, pattern ./.*)

  plugin:
    name: argocd-vault-plugin
    env:
      - name: FINDOPTS
        value: -regextype egrep -iregex .*\.(yml|yaml|json) -and -not -iregex ^\./\..*$

azerbe commented 2 years ago

Thanks for your post. This is a great request, because this problem disallows the usage of patterns like proposed by the argocd-autopilot project. If you define an applicationset with git generators and add for example a config.json that should be used for variables to a filepath like

secrets/raw
├── config.json
└── secret-raw.yaml

the plugin will crash with

❯ argocd-vault-plugin generate -c avp.yaml secrets/raw
Error: could not read YAML/JSON files:
could not read file: secrets/raw/config.json from disk: Object 'Kind' is missing in '{
  "appName": "project-a",
  "userGivenName": "raw",
  "destNamespace": "project-a",
  "destServer": "in-cluster",
  "srcPath": "secrets/raw",
  "srcRepoURL": "https://git/gitops-project-a.git",
  "srcTargetRevision": "HEAD"
}'

These patterns are widely documented and part of the official argo-cd project. It would make sense to either update the documentation for "raw" manifests or find a better solution.