Closed oliverpark999 closed 2 months ago
jkroepke
commented
4 months ago I never tested ApplicationSet, but as I know, ApplicationSet only generated Application in back based on templates.
Maybe this https://github.com/jkroepke/helm-secrets/wiki/ArgoCD-Integration#multi-source-application-support is also required for ApplicationSet.
oliverpark999
commented
4 months ago I never tested ApplicationSet, but as I know, ApplicationSet only generated Application in back based on templates.
Maybe this https://github.com/jkroepke/helm-secrets/wiki/ArgoCD-Integration#multi-source-application-support is also required for ApplicationSet.
It would be nice to be able to check that behavior in "ApplicationSet" as well. The “application” works great.
oliverpark999
commented
4 months ago I never tested ApplicationSet, but as I know, ApplicationSet only generated Application in back based on templates.
Maybe this https://github.com/jkroepke/helm-secrets/wiki/ArgoCD-Integration#multi-source-application-support is also required for ApplicationSet.
Unlike "Application", 'secrets://' seems to be incompatible in "ApplicationSet".
So I applied it like below.
helm:
valueFiles:
- "$values/values.yaml"
- "$values/secrets.yaml"However, in ArgoCD, only the default 'values' values are distributed. Of course, the Pod is abnormal. What should I do?
jkroepke
commented
4 months ago I need the full AppSet to get the context
oliverpark999
commented
4 months ago I need the full AppSet to get the context
What AppSet do you mean? Do I need to have the full code for my AppSet?
jkroepke
commented
4 months ago The full YAML manifest, yes.
oliverpark999
commented
4 months ago The full YAML manifest, yes.
My 'Application' and 'ApplicationSet' are as follows. In ApplicationSet, an error occurred in the '- secrets://secrets.yaml' line, so 'secrets://' was removed. Any clues?
# Application
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: foobar
namespace: argocd
spec:
project: default
source:
repoURL: 'xxxxx/foobar.yaml'
targetRevision: HEAD
path: foo/foobar
helm:
valueFiles:
- values.yaml
- secrets://secrets.yaml
destination:
server: 'https://xxxxx'
namespace: foobar
...omission......omission...
# ApplicationSet
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: foobar-helm
namespace: argocd
spec:
generators:
- git:
repoURL: xxxxxx
revision: HEAD
files:
- path: "xxxxx/foobar.yaml"
syncPolicy:
preserveResourcesOnDeletion: true
template:
metadata:
name: foobar
namespace: argocd
spec:
project: default
sources:
- repoURL: xxxxxx
chart: foobar
targetRevision: v0.13
helm:
valueFiles:
- "$values/values.yaml"
- "$values/secrets.yaml"
- repoURL: 'xxxxxx'
targetRevision: HEAD
ref: values
destination:
server: 'https://xxxxx'
namespace: foobar
syncPolicy:
...omission...The ApplicationSet and the Application is completely different.
In ApplicationSet, the spec contains a Multi-Source application. However, the Application contains a single-source application.
oliverpark999
commented
4 months ago The ApplicationSet and the Application is completely different.
In ApplicationSet, the spec contains a Multi-Source application. However, the Application contains a single-source application.
So how can I use it in ApplicationSet ? Is it available?
jkroepke
commented
4 months ago In general yes.
oliverpark999
commented
4 months ago In general yes.
How can I use it in ApplicationSet? If it's impossible, Are there any plans to update ApplicationSet to also use Helm Secrets?
voron
commented
3 months ago We use helm-secrets for some time with ApplicationSet
---
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: test-dev-0
namespace: argocd
spec:
goTemplate: true
goTemplateOptions: [ "missingkey=error" ]
generators:
- git:
repoURL: https://gitlab.com/deploy.git
revision: main
requeueAfterSeconds: 3600
files:
- path: dev/*.yaml
values:
env: dev
releaseName: '{{ .path.filename | trimSuffix ".yaml" }}'
app: bot
botValuesFile: '{{ .path.path }}/{{ .path.filename }}'
template:
metadata:
name: '{{ .values.releaseName }}'
namespace: bot-0
labels:
app.kubernetes.io/name: '{{ .values.app }}'
app.kubernetes.io/instance: '{{ .values.releaseName }}'
spec:
project: '{{ .values.env }}-0'
sources:
- ref: values
targetRevision: main
repoURL: https://gitlab.com/deploy.git
- chart: app
targetRevision: 0.99.17
repoURL: https://dysnix.github.io/charts
helm:
valueFiles:
- values.yaml
- $values/common/values/bot.yaml
- $values/{{ .values.env }}/values/bot.yaml
- $values/common/values/{{ .values.app }}.yaml
- $values/{{ .values.env }}/values/{{ .values.app }}.yaml
- $values/{{ .values.botValuesFile }}
- $values/{{ .values.env }}/secrets/{{ .values.app }}.yaml
destination:
name: in-cluster
namespace: bot-0
...We use the following helm-secrets related argoCD helm chart tuning
repoServer:
env:
# https://github.com/argoproj/argo-cd/pull/17518
- name: ARGOCD_HELM_ALLOW_CONCURRENCY
value: "true"
- name: HELM_PLUGINS
value: /custom-tools/helm-plugins/
- name: HELM_SECRETS_CURL_PATH
value: /custom-tools/curl
- name: HELM_SECRETS_SOPS_PATH
value: /custom-tools/sops
- name: HELM_SECRETS_KUBECTL_PATH
value: /custom-tools/kubectl
- name: HELM_SECRETS_BACKEND
value: sops
# for security
- name: HELM_SECRETS_VALUES_ALLOW_SYMLINKS
value: "false"
# we need to be able to ref secrets with ../
- name: HELM_SECRETS_VALUES_ALLOW_PATH_TRAVERSAL
value: "true"
# start multi source support
- name: HELM_SECRETS_WRAPPER_ENABLED
value: "true"
- name: HELM_SECRETS_VALUES_ALLOW_ABSOLUTE_PATH
value: "true"
# end multi source support
- name: HELM_SECRETS_DECRYPT_SECRETS_IN_TMP_DIR
value: "true"
- name: HELM_SECRETS_HELM_PATH
value: /usr/local/bin/helm
volumes:
- name: custom-tools
emptyDir: {}
volumeMounts:
- mountPath: /custom-tools
name: custom-tools
- mountPath: /usr/local/sbin/helm
subPath: helm
name: custom-tools
initContainers:
- name: download-tools
image: alpine:latest
imagePullPolicy: IfNotPresent
command:
- sh
- -ec
env:
- name: HELM_SECRETS_VERSION
value: "4.6.0"
- name: KUBECTL_VERSION
value: "1.30.1"
- name: SOPS_VERSION
value: "3.8.1"
- name: ARCH
value: "arm64"
- name: AARCH
value: "aarch64"
- name: OS
value: "linux"
args:
- |
mkdir -p /custom-tools/helm-plugins
wget -qO- https://github.com/jkroepke/helm-secrets/releases/download/v${HELM_SECRETS_VERSION}/helm-secrets.tar.gz | tar -C /custom-tools/helm-plugins -xzf-;
wget -qO /custom-tools/curl https://github.com/moparisthebest/static-curl/releases/latest/download/curl-${AARCH}
wget -qO /custom-tools/sops https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.${OS}.${ARCH}
wget -qO /custom-tools/kubectl https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/${OS}/${ARCH}/kubectl
cp /custom-tools/helm-plugins/helm-secrets/scripts/wrapper/helm.sh /custom-tools/helm
chmod +x /custom-tools/*
volumeMounts:
- mountPath: /custom-tools
name: custom-tools
I guess it works for you? @voron
Does it works out of the box?
voron
commented
3 months ago I guess it works for you? @voron
Yes, it works for us in multiple environments and multiple clients
Does it works out of the box?
I did not tested it out of the box though. I assume most if not all of the mentioned above ArgoCD tweaks are documented in helm-secrets docs 👏
jkroepke
commented
3 months ago @oliverpark999
I guess, you can't use secrets://secrets.yaml syntax.
github-actions[bot]
commented
2 months ago This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
Current Behavior
I succeeded in 'encrypting' and 'decrypting' using 'Helm Secrets' and Argocd's 'Application'. But now I want to ‘encrypt’ and ‘decrypt’ using Argocd’s ‘ApplicationSet’. But an error occurs. Is 'ApplicationSet' not supported?
Expected Behavior
If you specify two '.yaml' files as in 'application' and deploy them to Argocd, deployment is successful.
Steps To Reproduce
Environment
Anything else?
No response