search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
17.43k stars 5.3k forks source link

Helm plugins #1105

Open gregdurham opened 5 years ago

gregdurham commented 5 years ago

Hello, I am looking at this tool and it looks well thought out. In looking at it, I have a couple of questions. 1) I see you have a bit of documentation on handling custom binaries but I don’t see how they are used. For instance using something like git-crypt to handle secrets stored in git. 2) how would I use a helm plugin. For instance if I wanted to do tillerless helm by using the helm tiller plugin or storing secrets using the helm secrets plugin.

Any tips would be much appreciated. Thanks!

gregdurham commented 5 years ago

Another question, how would you handle an application with multiple configuration types, i.e. the application is deployed with helm, and a set of values. And you also for the deployment of the app, want to deploy some CRD, for instance an istio rule. Do you deploy each of these seperately?

jessesuen commented 5 years ago
  • I see you have a bit of documentation on handling custom binaries but I don’t see how they are used. For instance using something like git-crypt to handle secrets stored in git.

Currently the only application source which can take advantage of these custom tools, are kustomize 1.0 applications with its secretGenerator feature, which allows execution of arbitrary commands to generate the secret values. NOTE: this feature is being removed in kustomize 2.0 due to security concerns.

2. how would I use a helm plugin. For instance if I wanted to do tillerless helm by using the helm tiller plugin or storing secrets using the helm secrets plugin.

For helm, installation of plugins would need to be done by custom building the repo server with the helm plugin installed. But to leverage these plugins, Argo CD needs to add support for running arbitrary commands/scripts to render the YAML. This feature is being tracked here: https://github.com/argoproj/argo-cd/issues/701

gregdurham commented 5 years ago

I wonder if a way around this limitation for helm is to inject a wrapper script that does the decryption on the fly transparently to Argo and also run the helm tiller plugin. Basically replace the helm binary with a script that takes the args and passes them into helm with all of the plugins enabled.

jessesuen commented 5 years ago

Basically replace the helm binary with a script that takes the args and passes them into helm with all of the plugins enabled.

Yep, that would be a workaround until we support the ability to run custom commands.

gregdurham commented 5 years ago

Sweet. Thanks.

djsd123 commented 5 years ago

@jessesuen, I'd also like to know your suggestions on how to install a helm chart with a values file located in a git-crypt encrypted repo? I'd assume that this is a fairly common work pattern.

nparfait commented 5 years ago

I'm trying to use helm secrets with argocd as well. I tried to use a wrapper script (custom build on repoServer - added AWS env's for KMS access). When trying to sync the app I get this error - ComparisonError rpc error: code = Unknown desc = Error: unknown command "secrets" for "helm" Run 'helm --help' for usage.

stale[bot] commented 5 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

djsd123 commented 5 years ago

I think this issue should stay open until custom binary support is added. Not sure if anyone agrees

alexec commented 5 years ago

This should be fixed by the use of config management plugin.

lodotek commented 4 years ago

I'm trying to use helm secrets with argocd as well. I tried to use a wrapper script (custom build on repoServer - added AWS env's for KMS access). When trying to sync the app I get this error - ComparisonError rpc error: code = Unknown desc = Error: unknown command "secrets" for "helm" Run 'helm --help' for usage.

Any luck with this? I am struggling with utilizing helm secrets via plugin support (eks + kms oidc/rbac ) and the docs are lacking unfortunately, especially for the argocd-cm configmap needed for helm secrets to work :-(

toninis commented 4 years ago

I'm trying to use helm secrets with argocd as well. I tried to use a wrapper script (custom build on repoServer - added AWS env's for KMS access). When trying to sync the app I get this error - ComparisonError rpc error: code = Unknown desc = Error: unknown command "secrets" for "helm" Run 'helm --help' for usage.

Any luck with this? I am struggling with utilizing helm secrets via plugin support (eks + kms oidc/rbac ) and the docs are lacking unfortunately, especially for the argocd-cm configmap needed for helm secrets to work :-(

Your problem is probably that you install the helm plugin with root user instead of argocd . Try changing the user in your Dokcerfile before installing the plugin.

...
USER argocd

ENV HELM_PLUGIN="/home/argocd/.local/share/helm/plugins/"
RUN helm plugin install https://github.com/zendesk/helm-secrets
esys commented 3 years ago

@toninis did you make this work? I have the same error using a wrapper script, did your suggestion to install helm secrets as the argocd user in the Dockerfile. One thing I don't understand is that when I kubectl exec to the argocd server pod, the helm secrets wrapper seems to be working. But when argocd run the helm template command, it seems to still use the non-wrapped helm binary.

kubectl exec pio-argocd-server-b78c5b4fc-czmpx -- whoami
argocd

kubectl exec pio-argocd-server-b78c5b4fc-vswdh -- which helm
/usr/local/bin/helm

ka exec pio-argocd-server-b78c5b4fc-vswdh -- cat $(which helm)
#! /bin/sh
# my helm wrapper code

# the wrapper working here as helm default output is replaced by helm secrets default output
kubectl exec pio-argocd-server-b78c5b4fc-czmpx -- helm
GnuPG secrets encryption in Helm Charts

This plugin provides ability to encrypt/decrypt secrets files
to store in less secure places, before they are installed using
Helm.

To decrypt/encrypt/edit you need to initialize/first encrypt secrets with
sops - https://github.com/mozilla/sops

Available Commands:
  enc       Encrypt secrets file
  dec       Decrypt secrets file
  view      Print secrets decrypted
  edit      Edit secrets file and encrypt afterwards
  clean         Remove all decrypted files in specified directory (recursively)
  install   wrapper that decrypts secrets[.*].yaml files before running helm install
  template  wrapper that decrypts secrets[.*].yaml files before running helm template
  upgrade   wrapper that decrypts secrets[.*].yaml files before running helm upgrade
  lint      wrapper that decrypts secrets[.*].yaml files before running helm lint
  diff      wrapper that decrypts secrets[.*].yaml files before running helm diff
                  (diff is a helm plugin)

But argocd is giving me rpc error: code = Unknown desc = helm template . --name-template ... failed exit status 1: Error: unknown command "secrets" for "helm" Run 'helm --help' for usage.

My whole Dockerfile:

FROM argoproj/argocd:v1.7.6

ARG SOPS_VERSION="v3.6.1"
ARG HELM_SECRETS_VERSION="2.0.2"
ARG SOPS_PGP_FP="141B69EE206943BA9A64E691A00C9B1A7DCB6D07"

ENV SOPS_PGP_FP=${SOPS_PGP_FP}

USER root  
COPY helm-wrapper.sh /usr/local/bin/
RUN apt-get update && \
    apt-get install -y \
    curl \
    gpg && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \
    curl -o /usr/local/bin/sops -L https://github.com/mozilla/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux && \
    chmod +x /usr/local/bin/sops && \
    cd /usr/local/bin && \
    mv helm helm.bin && \
    mv helm2 helm2.bin && \
    mv helm-wrapper.sh helm && \
    ln helm helm2 && \
    chmod +x helm helm2

USER argocd
RUN /usr/local/bin/helm.bin plugin install https://github.com/zendesk/helm-secrets --version ${HELM_SECRETS_VERSION}
ENV HELM_PLUGINS="/home/argocd/.local/share/helm/plugins/"
PatrickSplice commented 3 years ago

So, I'm assuming including a helm wrapper script is still the only way to use an installed plugin? For example, 'helm secrets install'.

PatrickSplice commented 3 years ago

So, I was able to get my helm wrapper script to work so that it executes helm2 secrets template when building the manifests to install. However, the resulting values are messed up. How are the values in the UI built? If I include helm charts and secrets.yaml, etc on my custom argocd image, I can do a helm template command that properly reads my secrets and spits out the expected manifests.

rgeraskin commented 3 years ago

So, I'm assuming including a helm wrapper script is still the only way to use an installed plugin? For example, 'helm secrets install'.

We could use the helm secrets plugin without wrapper script. It is possible to specify secrets values like secrets://secrets.yaml instead of secrets.yaml. See #6636

nitishfy commented 1 month ago

Hi, are there any updates on this issue?