search

travisghansen / argo-cd-helmfile

Integration between argo-cd and helmfile
MIT License
223 stars 55 forks source link

Helm secrets support #20

Closed kfirfer closed 2 years ago

kfirfer commented 2 years ago

Hello,

I have setup helm secrets in ArgoCD following this guide: https://github.com/jkroepke/helm-secrets/wiki/ArgoCD-Integration

And also installed helmfile plugin in ArgoCD

And I couldn't use helm secrets

Example helmfile:

repositories:
  - name: k8s-at-home
    url: https://k8s-at-home.com/charts/

releases:
  - name: homer
    version: 7.2.2
    chart: k8s-at-home/homer
    namespace: homer
    values:
      - values.yaml
    secrets:
      - values-secrets.yaml
#      - secrets+gpg-import:///helm-secrets-private-keys/key.asc?values-secrets.yaml

Argo app:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  finalizers:
  - resources-finalizer.argocd.argoproj.io
  name: homer-helmfiles
  namespace: argocd
spec:
  destination:
    namespace: homer
    server: https://kubernetes.default.svc
  project: apps
  source:
    path: nucs/dev/us-east/apps/namespaces/homer/helmfile
    plugin:
      name: helmfile
    repoURL: https://<mygit>.git
    targetRevision: HEAD
  syncPolicy:
    automated:
      selfHeal: true

In nucs/dev/us-east/apps/namespaces/homer/helmfile :

.sops.yaml
helmfile.yaml - the file above
values.yaml
values-secrets.yaml - encrypted with helm secrets

Everything works as intended without using the secrets

travisghansen commented 2 years ago

I doubt the custom integration would work with helmfile directly. In my case I use age with centrally managed keys which are published throughout the organization (each cluster has numerous keys available to it, a global key, a cluster key, an env key, etc). To make it all work it requires:

# set env on repo server
  - name: SOPS_AGE_KEY_FILE
    value: /sops/age/keys.txt

# volume for repo server
  - name: age-secret-keys
    secret:
      secretName: argocd-age-secret-keys

# volume mount for repo server
  - mountPath: /sops/age
    name: age-secret-keys

# create the secret
apiVersion: v1
kind: Secret
metadata:
  name: argocd-age-secret-keys
  namespace: argocd
stringData:
  keys.txt: |
    # place all keys here
kfirfer commented 2 years ago

I have managed to exec the repo-server pod and import the gpg key but this error shown:

ERROR: exit status 1 EXIT STATUS 1 STDERR: [helm-secrets] Values filepath '.nucs/dev/us-east/apps/namespaces/homer/helmfile/values-secrets.yaml' is an absolute path. Absolute paths are not allowed. [helm-secrets] File does not exist: .nucs/dev/us-east/apps/namespaces/homer/helmfile/values-secrets.yaml Error: plugin "secrets" exited with error COMBINED OUTPUT: [helm-secrets] Values filepath '.nucs/dev/us-east/apps/namespaces/homer/helmfile/values-secrets.yaml' is an absolute path. Absolute paths are not allowed. [helm-secrets] File does not exist: .nucs/dev/us-east/apps/namespaces/homer/helmfile/values-secrets.yaml Error: plugin "secrets" exited with error
kfirfer commented 2 years ago

btw I have also upgraded the helmfile version, didnt seems to work (tried with the documented version aswell)

          wget -qO /custom-tools/helmfile.tar.gz https://github.com/helmfile/helmfile/releases/download/v0.145.2/helmfile_0.145.2_linux_amd64.tar.gz
          tar -zxvf /custom-tools/helmfile.tar.gz -C /custom-tools
          chmod +x /custom-tools/helmfile
kfirfer commented 2 years ago

Forgot that env var HELM_SECRETS_VALUES_ALLOW_ABSOLUTE_PATH was set to false (by the helm-secrets&argocd integration guide)

Checking if its works

kfirfer commented 2 years ago

Had problems with gpg/pgp , needed to make a lot of changes like gpg_tty, importing the gpg somehow, etc.. Moved to age and everything is much easier and works as intended

ty!

travisghansen commented 2 years ago

Yeah I have gpg functioning as well, but it’s pretty messy to get going.