Open gregdurham opened 5 years ago
Another question, how would you handle an application with multiple configuration types, i.e. the application is deployed with helm, and a set of values. And you also for the deployment of the app, want to deploy some CRD, for instance an istio rule. Do you deploy each of these seperately?
- I see you have a bit of documentation on handling custom binaries but I don’t see how they are used. For instance using something like git-crypt to handle secrets stored in git.
Currently the only application source which can take advantage of these custom tools, are kustomize 1.0 applications with its secretGenerator feature, which allows execution of arbitrary commands to generate the secret values. NOTE: this feature is being removed in kustomize 2.0 due to security concerns.
2. how would I use a helm plugin. For instance if I wanted to do tillerless helm by using the helm tiller plugin or storing secrets using the helm secrets plugin.
For helm, installation of plugins would need to be done by custom building the repo server with the helm plugin installed. But to leverage these plugins, Argo CD needs to add support for running arbitrary commands/scripts to render the YAML. This feature is being tracked here: https://github.com/argoproj/argo-cd/issues/701
I wonder if a way around this limitation for helm is to inject a wrapper script that does the decryption on the fly transparently to Argo and also run the helm tiller plugin. Basically replace the helm binary with a script that takes the args and passes them into helm with all of the plugins enabled.
Basically replace the helm binary with a script that takes the args and passes them into helm with all of the plugins enabled.
Yep, that would be a workaround until we support the ability to run custom commands.
Sweet. Thanks.
@jessesuen, I'd also like to know your suggestions on how to install a helm chart with a values file located in a git-crypt encrypted repo? I'd assume that this is a fairly common work pattern.
I'm trying to use helm secrets with argocd as well. I tried to use a wrapper script (custom build on repoServer - added AWS env's for KMS access). When trying to sync the app I get this error - ComparisonError rpc error: code = Unknown desc = Error: unknown command "secrets" for "helm" Run 'helm --help' for usage.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
I think this issue should stay open until custom binary support is added. Not sure if anyone agrees
This should be fixed by the use of config management plugin.
I'm trying to use helm secrets with argocd as well. I tried to use a wrapper script (custom build on repoServer - added AWS env's for KMS access). When trying to sync the app I get this error - ComparisonError rpc error: code = Unknown desc = Error: unknown command "secrets" for "helm" Run 'helm --help' for usage.
Any luck with this? I am struggling with utilizing helm secrets via plugin support (eks + kms oidc/rbac ) and the docs are lacking unfortunately, especially for the argocd-cm configmap needed for helm secrets to work :-(
I'm trying to use helm secrets with argocd as well. I tried to use a wrapper script (custom build on repoServer - added AWS env's for KMS access). When trying to sync the app I get this error - ComparisonError rpc error: code = Unknown desc = Error: unknown command "secrets" for "helm" Run 'helm --help' for usage.
Any luck with this? I am struggling with utilizing helm secrets via plugin support (eks + kms oidc/rbac ) and the docs are lacking unfortunately, especially for the argocd-cm configmap needed for helm secrets to work :-(
Your problem is probably that you install the helm plugin with root user instead of argocd . Try changing the user in your Dokcerfile before installing the plugin.
...
USER argocd
ENV HELM_PLUGIN="/home/argocd/.local/share/helm/plugins/"
RUN helm plugin install https://github.com/zendesk/helm-secrets
@toninis did you make this work?
I have the same error using a wrapper script, did your suggestion to install helm secrets
as the argocd user in the Dockerfile. One thing I don't understand is that when I kubectl exec
to the argocd server pod, the helm secrets wrapper seems to be working. But when argocd run the helm template command, it seems to still use the non-wrapped helm binary.
kubectl exec pio-argocd-server-b78c5b4fc-czmpx -- whoami
argocd
kubectl exec pio-argocd-server-b78c5b4fc-vswdh -- which helm
/usr/local/bin/helm
ka exec pio-argocd-server-b78c5b4fc-vswdh -- cat $(which helm)
#! /bin/sh
# my helm wrapper code
# the wrapper working here as helm default output is replaced by helm secrets default output
kubectl exec pio-argocd-server-b78c5b4fc-czmpx -- helm
GnuPG secrets encryption in Helm Charts
This plugin provides ability to encrypt/decrypt secrets files
to store in less secure places, before they are installed using
Helm.
To decrypt/encrypt/edit you need to initialize/first encrypt secrets with
sops - https://github.com/mozilla/sops
Available Commands:
enc Encrypt secrets file
dec Decrypt secrets file
view Print secrets decrypted
edit Edit secrets file and encrypt afterwards
clean Remove all decrypted files in specified directory (recursively)
install wrapper that decrypts secrets[.*].yaml files before running helm install
template wrapper that decrypts secrets[.*].yaml files before running helm template
upgrade wrapper that decrypts secrets[.*].yaml files before running helm upgrade
lint wrapper that decrypts secrets[.*].yaml files before running helm lint
diff wrapper that decrypts secrets[.*].yaml files before running helm diff
(diff is a helm plugin)
But argocd is giving me rpc error: code = Unknown desc = helm template . --name-template ... failed exit status 1: Error: unknown command "secrets" for "helm" Run 'helm --help' for usage.
My whole Dockerfile:
FROM argoproj/argocd:v1.7.6
ARG SOPS_VERSION="v3.6.1"
ARG HELM_SECRETS_VERSION="2.0.2"
ARG SOPS_PGP_FP="141B69EE206943BA9A64E691A00C9B1A7DCB6D07"
ENV SOPS_PGP_FP=${SOPS_PGP_FP}
USER root
COPY helm-wrapper.sh /usr/local/bin/
RUN apt-get update && \
apt-get install -y \
curl \
gpg && \
apt-get clean && \
rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \
curl -o /usr/local/bin/sops -L https://github.com/mozilla/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux && \
chmod +x /usr/local/bin/sops && \
cd /usr/local/bin && \
mv helm helm.bin && \
mv helm2 helm2.bin && \
mv helm-wrapper.sh helm && \
ln helm helm2 && \
chmod +x helm helm2
USER argocd
RUN /usr/local/bin/helm.bin plugin install https://github.com/zendesk/helm-secrets --version ${HELM_SECRETS_VERSION}
ENV HELM_PLUGINS="/home/argocd/.local/share/helm/plugins/"
So, I'm assuming including a helm wrapper script is still the only way to use an installed plugin? For example, 'helm secrets install'.
So, I was able to get my helm wrapper script to work so that it executes helm2 secrets template when building the manifests to install. However, the resulting values are messed up. How are the values in the UI built? If I include helm charts and secrets.yaml, etc on my custom argocd image, I can do a helm template command that properly reads my secrets and spits out the expected manifests.
So, I'm assuming including a helm wrapper script is still the only way to use an installed plugin? For example, 'helm secrets install'.
We could use the helm secrets plugin without wrapper script. It is possible to specify secrets values like secrets://secrets.yaml
instead of secrets.yaml
. See #6636
Hi, are there any updates on this issue?
Hello, I am looking at this tool and it looks well thought out. In looking at it, I have a couple of questions. 1) I see you have a bit of documentation on handling custom binaries but I don’t see how they are used. For instance using something like git-crypt to handle secrets stored in git. 2) how would I use a helm plugin. For instance if I wanted to do tillerless helm by using the helm tiller plugin or storing secrets using the helm secrets plugin.
Any tips would be much appreciated. Thanks!