ArgoCD Helm Secrets with SOPS - secrets.yaml not loading into parameters

[sergeiwaigant]

Current Behavior

I am trying to get ArgoCD running with Helm Secrets and SOPS backend. The application that I define in ArgoCD is as follows:

---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  finalizers:
    - resources-finalizer.argocd.argoproj.io
  name: app-name
  namespace: argocd
spec:
  project: default
  destination:
    namespace: app-namespace
    server: https://kubernetes.default.svc
  source:
    repoURL: https://git.server.local/owner/gitops.git
    path: dev/app-name
    targetRevision: dev
    helm:
      valueFiles:
        - values.yaml
        - secrets://secrets.yaml

In the GitOps repository I am having the following files in dev branch and dev/app-name folder.

---
# Chart.yaml
apiVersion: v2
name: app-name
type: application
version: 0.1.0
appVersion: "1.0"
dependencies:
- name: helm-app
  alias: app
  version: "0.0.7"
  repository: https://repo.server.local/artifactory/helm.private.repo
---
# values.yaml
image:
    registry: repo.server.local
    repository: docker/app-name
    tag: 0.1.0
imagePullSecrets:
    - name: pull-secret-repo-server-local
appPort: 50200
keycloakClientBase: app-name
configMap:
  spring.datasource.app.jdbc: jdbc://path.to.database/connection-string
  spring.datasource.app.username: someusername
---
# secrets.yaml
configMap:
    spring.datasource.app.password: ENC[AES256_GCM,data:swrjGq63T7B4y3i09rd0sfLE,iv:wRFyEnMk2w4ZlqAFzxHE2Qtb376t5MJFpqpnIgwRg9k=,tag:ZO6XfWHoWoJntNQgoX/48Q==,type:str]
sops: {} # sops metadata
---
# repo server config (only relevant)
<snip>
  initContainers:
    - name: download-tools
      ......... more or less the same that I took from the examples just with some adjustments for the on-prem environment ......... 
<snip>
  volumeMounts:
    - mountPath: /custom-tools
      name: custom-tools
    - mountPath: /usr/local/sbin/helm
      subPath: helm
      name: custom-tools
    - mountPath: /pgp-private-keys/
      name: pgp-private-keys

  volumes:
    - name: custom-tools
      emptyDir: {}
    - name: pgp-private-keys
      secret:
        secretName: pgp-private-keys
  env:
    - name: HELM_SECRETS_LOAD_GPG_KEYS
      value: /pgp-private-keys/key.asc
    - name: HELM_PLUGINS
      value: /custom-tools/helm-plugins/
    - name: HELM_SECRETS_SOPS_PATH
      value: /custom-tools/sops
    - name: HELM_SECRETS_VALS_PATH
      value: /custom-tools/vals
    - name: HELM_SECRETS_KUBECTL_PATH
      value: /custom-tools/kubectl
    - name: HELM_SECRETS_CURL_PATH
      value: /custom-tools/curl
    - name: HELM_SECRETS_VALUES_ALLOW_SYMLINKS
      value: "false"
    - name: HELM_SECRETS_VALUES_ALLOW_ABSOLUTE_PATH
      value: "true"
    - name: HELM_SECRETS_VALUES_ALLOW_PATH_TRAVERSAL
      value: "false"
    - name: HELM_SECRETS_HELM_PATH
      value: /usr/local/bin/helm
    - name: HELM_SECRETS_WRAPPER_ENABLED
      value: "true"
    - name: HELM_SECRETS_DEBUG
      value: "true"
<snip>
---
# other relevant configs for argo-cd helm chart
<snip>
configs:
  cm:
    helm.valuesFileSchemes: >-
      secrets+gpg-import, secrets+gpg-import-kubernetes,
      secrets+age-import, secrets+age-import-kubernetes,
      secrets,secrets+literal,
      https
<snip>

0. The behaviour is now, that I can see in ArgoCD the parameters under app details -> parameters, but only out of the values.yaml, it is not complaining about the secrets.yaml, but also not loading the values

1. If I change the secrets://secrets.yaml to something like secrets://secrets-wrong-name.yaml its complaining that the file cannot be found... so the git checkout and secrets plugin is trying to do something with that file. Also setting HELM_SECRETS_DEBUG=true is printing more detailed infos in the log which are pointing out that the file cannot be found... if the filename is consistent, no error message is visible but the above behaviour exists

2. On the other hand, if I jump into the repo server container, write the same secret.yaml into /tmp and run helm secrets decrypt secret.yaml its perfectly decrypting the file and printing it on stdout. Therefore I would assume that setting up helm-secrets and sops with the gpg key is all correct

3. I tried to move the values in secrets.yaml to like helm-app.configMap or just app.configMap dictionary to match the name of the helm chart or the alias, but didn't worked either

4. I tried first the multi source approach, but that didn't worked either and I saw that its in beta. Would be happy to provide more details here if required since I feel that would be the more correct approach and it would remove the requirement of the Chart.yaml

Maybe someone can see what small mistake I did... :)

Expected Behavior

The provided helm.valuesFiles {values.yaml and secrets.yaml) should be merged together and handed over the the helm deployment.

Steps To Reproduce

No response

Environment

• Helm Version:

  argocd@argo-cd-argocd-repo-server-6868469cb7-dgxfn:~$ /usr/local/bin/helm version
  version.BuildInfo{Version:"v3.11.2", GitCommit:"912ebc1cd10d38d340f048efaf0abda047c3468e", GitTreeState:"clean", GoVersion:"go1.18.10"}

• Helm Secrets Version:

  argocd@argo-cd-argocd-repo-server-6868469cb7-dgxfn:~$ helm --version
  4.4.2

• ArgoCD Version

  Argo CD v2.7.10+469f257.dirty
  Build Date 2023-07-31T22:05:17Z

• OS:
• Shell:

Anything else?

No response

[jkroepke]

If you could provide the output from HELM_SECRETS_DEBUG=true with secrets://secrets.yaml ?

Could you retry it with HELM_SECRETS_WRAPPER_ENABLED=false? This requires also a hard refresh to clear the cache.

[github-actions[bot]]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.