ArgoCD w/ SOPS leveraging AWS KMS

jkroepke / helm-secrets

A helm plugin that help manage secrets with Git workflow and store them anywhere

https://github.com/jkroepke/helm-secrets/wiki

Apache License 2.0

1.5k stars 128 forks source link

ArgoCD w/ SOPS leveraging AWS KMS #165

Closed jmclean-starburst closed 2 years ago

jmclean-starburst commented 2 years ago

Problem Statement

I am unable to leverage this plugin in its current state while using AWS KMS Keys and SOPS. do you know if there is support for this or am I just leveraging helm-secrets incorrectly

helm secrets version = v3.9.1

Proposed Solution

No response

Environment

Helm Version:
OS:
Shell:

Additional information

No response

Acceptance Criteria

No response

jkroepke commented 2 years ago

Hi,

in background, helm-secrets is a wrapper around sops. helm-secrets supports all features that are supported by sops.

Checkout https://github.com/mozilla/sops#kms-aws-profiles for integrate sops and AWS KMS. Additionally you need to provide credentials that the sops is authorized to call the AWS KMS keys.

In case you are running EKS, I'm recommend using IRSA. You can also provide the environment variable AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY that holds credentials for a valid AWS IAM account.

jmclean-starburst commented 2 years ago

I had assumed as much....just things are a bit wonky w/ My ArgoCD referencing a sops encrypted file; one possibility is that I am forced to use the umbrella chart pattern because ArgoCD doesnt support values on a local filesystem/repo; only values within the repository containing the helm chart definition. The umbrella chart pattern allows values to be set on a local filesys/repo

More info https://argo-cd.readthedocs.io/en/stable/user-guide/helm/

Values files must be in the same git repository as the Helm chart. The files can be in a different location in which case it can be accessed using a relative path relative to the root directory of the Helm chart.

I have been hoping for this bad boy to close soon https://github.com/argoproj/argo-cd/pull/6280

jkroepke commented 2 years ago

Checkout https://github.com/jkroepke/helm-secrets/blob/main/docs/ARGOCD.md#known-limitations for some workarounds

jmclean-starburst commented 2 years ago

this doesnt seem to be working; i have the below for my valuesFiles -

secrets://my-ns-w-secret/secret-name#secret-key?https://raw.githubusercontent.com/org/repo/ref/pathtofile.yml

is there a way i can debug this further? The below shows the helm plugin installed on the argocd-repo-server

argocd@argocd-repo-server-7b75c656-rbfk2:~$ helm plugin list  
NAME    VERSION DESCRIPTION                                                                  
secrets 3.9.1   This plugin provides secrets values encryption for Helm charts secure storing

argocd@argocd-repo-server-7b75c656-rbfk2:~$ helm version
version.BuildInfo{Version:"v3.6.0", GitCommit:"7f2df6467771a75f5646b7f12afb408590ed1755", GitTreeState:"clean", GoVersion:"go1.16.3"}

ArgoCD version: 2.1.5

Nit: the docs has a third / on one of the markdown code references

jkroepke commented 2 years ago

In case you have a sops encrypted file with AWS KMS, you can use something like this.

secrets://https://raw.githubusercontent.com/org/repo/ref/pathtofile.yml

The my-ns-w-secret/secret-name#secret-key syntax is used in case you are using gpg or age encryption instead AWS KMS.

jmclean-starburst commented 2 years ago

so...this is going to sound weird...but this works if I clone down your repository and add the plugin via helm plugin install ./helm-secrets, but if I install the plugin via the remote git repo (helm plugin install https://github.com/jkroepke/helm-secrets), i get something like the below:

Error: failed to parse secrets://secrets.yaml: error unmarshaling JSON: while decoding JSON: json: cannot unmarshal array into Go value of type map[string]interface {}

jkroepke commented 2 years ago

I have no idea here, except checkout if the plugin.yaml is equal at the plugin root

jmclean-starburst commented 2 years ago

FWIW - I found my issue (plaguing my soul for 3 days)

I referenced a helm-secrets version of v3.9.1 in my ArgoCD Dockerfile, whereas it should have been 3.9.1. painful...however I do think through this journey, I will try to contribute so we can use a k8s secret for fetching remote repos, instead of injecting directly within the URL (similar to GPG). more to come!

jmclean-starburst commented 2 years ago

https://github.com/jkroepke/helm-secrets/pull/168

jkroepke commented 2 years ago

Mention that the age support is available since 3.10.0

Kiruthikameena commented 1 year ago

@jmclean-starburst I am trying to use AWS KMS as well and facing some issues, could you please guide if something is wrong with the setup?

The issue is described here https://github.com/jkroepke/helm-secrets/issues/394. Thanks in advance!