Closed jmclean-starburst closed 2 years ago
Hi,
in background, helm-secrets is a wrapper around sops. helm-secrets supports all features that are supported by sops.
Checkout https://github.com/mozilla/sops#kms-aws-profiles for integrate sops and AWS KMS. Additionally you need to provide credentials that the sops is authorized to call the AWS KMS keys.
In case you are running EKS, I'm recommend using IRSA. You can also provide the environment variable AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY that holds credentials for a valid AWS IAM account.
I had assumed as much....just things are a bit wonky w/ My ArgoCD referencing a sops encrypted file; one possibility is that I am forced to use the umbrella chart pattern because ArgoCD doesnt support values on a local filesystem/repo; only values within the repository containing the helm chart definition. The umbrella chart pattern allows values to be set on a local filesys/repo
More info https://argo-cd.readthedocs.io/en/stable/user-guide/helm/
Values files must be in the same git repository as the Helm chart. The files can be in a different location in which case it can be accessed using a relative path relative to the root directory of the Helm chart.
I have been hoping for this bad boy to close soon https://github.com/argoproj/argo-cd/pull/6280
Checkout https://github.com/jkroepke/helm-secrets/blob/main/docs/ARGOCD.md#known-limitations for some workarounds
this doesnt seem to be working; i have the below for my valuesFiles
-
secrets://my-ns-w-secret/secret-name#secret-key?https://raw.githubusercontent.com/org/repo/ref/pathtofile.yml
is there a way i can debug this further? The below shows the helm plugin installed on the argocd-repo-server
argocd@argocd-repo-server-7b75c656-rbfk2:~$ helm plugin list
NAME VERSION DESCRIPTION
secrets 3.9.1 This plugin provides secrets values encryption for Helm charts secure storing
argocd@argocd-repo-server-7b75c656-rbfk2:~$ helm version
version.BuildInfo{Version:"v3.6.0", GitCommit:"7f2df6467771a75f5646b7f12afb408590ed1755", GitTreeState:"clean", GoVersion:"go1.16.3"}
ArgoCD version: 2.1.5
Nit: the docs has a third /
on one of the markdown code references
In case you have a sops encrypted file with AWS KMS, you can use something like this.
secrets://https://raw.githubusercontent.com/org/repo/ref/pathtofile.yml
The my-ns-w-secret/secret-name#secret-key
syntax is used in case you are using gpg or age encryption instead AWS KMS.
so...this is going to sound weird...but this works if I clone down your repository and add the plugin via helm plugin install ./helm-secrets
, but if I install the plugin via the remote git repo (helm plugin install https://github.com/jkroepke/helm-secrets
), i get something like the below:
Error: failed to parse secrets://secrets.yaml: error unmarshaling JSON: while decoding JSON: json: cannot unmarshal array into Go value of type map[string]interface {}
I have no idea here, except checkout if the plugin.yaml is equal at the plugin root
FWIW - I found my issue (plaguing my soul for 3 days)
I referenced a helm-secrets version of v3.9.1
in my ArgoCD Dockerfile, whereas it should have been 3.9.1
. painful...however I do think through this journey, I will try to contribute so we can use a k8s secret for fetching remote repos, instead of injecting directly within the URL (similar to GPG). more to come!
Mention that the age support is available since 3.10.0
@jmclean-starburst I am trying to use AWS KMS as well and facing some issues, could you please guide if something is wrong with the setup?
The issue is described here https://github.com/jkroepke/helm-secrets/issues/394. Thanks in advance!
Problem Statement
I am unable to leverage this plugin in its current state while using AWS KMS Keys and SOPS. do you know if there is support for this or am I just leveraging
helm-secrets
incorrectlyhelm secrets version = v3.9.1
Proposed Solution
No response
Environment
Additional information
No response
Acceptance Criteria
No response