Skip to content

Instantly share code, notes, and snippets.

@abdennour

abdennour/README.md

Last active March 6, 2021 18:05
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save abdennour/36618a85f56a10126286ae5b287eb0ed to your computer and use it in GitHub Desktop.
Save abdennour/36618a85f56a10126286ae5b287eb0ed to your computer and use it in GitHub Desktop.
Download ZIP
Raw
README.md 
server:
  config:
    # https://github.com/argoproj/argo-cd/blob/master/docs/user-guide/config-management-plugins.md#plugins

    configManagementPlugins: |
      - name: vault
        init:
          command: ["/bin/sh", "-c"]
          args:
          - >-
            export VAULT_ADDR=http://vault.vault:8200;
            export VAULT_TOKEN=$(vault write -field=token auth/kubernetes/login role=argocd jwt=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token));
            vault kv get -field=$VAULT_SECRET_KEY $VAULT_SECRET_PATH > $VAULT_SECRET_MOUNT;
      - name: helm-vault
        init:
          command: ["argocd-plugin-helm-vault"]
          args: ['init']
        generate:
          command: ["argocd-plugin-helm-vault"]
          args: ['generate']
      - name: helmfile-vault
        init:
          command: ["argocd-plugin-helmfile-vault"]
          args: ['init']
        generate:
          command: ["argocd-plugin-helmfile-vault"]
          args: ['generate']
repoServer:
  volumes:
  - name: custom-tools
    emptyDir: {}
  volumeMounts:
  - mountPath: /usr/local/bin/helmfile
    name: custom-tools
    subPath: helmfile
  - mountPath: /usr/local/bin/vault
    name: custom-tools
    subPath: vault
  - mountPath: /usr/local/bin/argocd-plugin-helmfile-vault
    name: custom-tools
    subPath: argocd-plugin-helmfile-vault
  - mountPath: /usr/local/bin/argocd-plugin-helm-vault
    name: custom-tools
    subPath: argocd-plugin-helm-vault
  initContainers:
  - name: download-tools
    image: abdennour/curl-zip:alpine-3.13
    command: [sh, -c]
    args:
      - >-
        curl -SsL -o /custom-tools/helmfile https://github.com/roboll/helmfile/releases/download/v0.138.2/helmfile_linux_amd64
        && curl -SsL -o /tmp/vault.zip https://releases.hashicorp.com/vault/1.5.0/vault_1.5.0_linux_amd64.zip
        && unzip /tmp/vault.zip -d /custom-tools/
        && curl -SsL -o /custom-tools/argocd-plugin-helmfile-vault https://gist.githubusercontent.com/abdennour/36618a85f56a10126286ae5b287eb0ed/raw/c61fbc43cf609493afa762d02574611514d8f8b0/argocd-plugin-helmfile-vault.sh
        && curl -SsL -o /custom-tools/argocd-plugin-helm-vault https://gist.githubusercontent.com/abdennour/36618a85f56a10126286ae5b287eb0ed/raw/092a93a698771754ac0e36091cdcf3504b85d6f6/argocd-plugin-helm-vault.sh
        && chmod +x /custom-tools/*
    volumeMounts:
      - mountPath: /custom-tools
        name: custom-tools
Raw
argocd-plugin-helm-vault.sh
#!/bin/bash
# GNU GENERAL PUBLIC LICENSE
# Version 3, 29 June 2007
# @required $VAULT_SECRET_KEY | $VAULT_SECRET_PATH | $VAULT_SECRET_MOUNT
# @optional $VAULT_ADDR | $VAULT_AUTH_ROLE
# @optional $HELM_ARGS
# @builtin $ARGOCD_APP_NAMESPACE | $ARGOCD_APP_NAME
variable_expansion() {
# prefer envsubst if available, fallback to perl
if [[ $(which envsubst) ]]; then
echo -n "${@}" | envsubst
else
echo -n "${@}" | perl -pe 's/\$(\{)?([a-zA-Z_]\w*)(?(1)\})/$ENV{$2}/g'
fi
}
phase=$1
case $phase in
"init")
helm dep update;
;;
"generate")
export VAULT_ADDR=${VAULT_ADDR:-"http://vault.vault:8200"};
export VAULT_AUTH_ROLE=${VAULT_AUTH_ROLE:-"argocd"};
export VAULT_TOKEN=$(vault write -field=token auth/kubernetes/login role=${VAULT_AUTH_ROLE} jwt=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token));
vault kv get -field=$VAULT_SECRET_KEY $VAULT_SECRET_PATH > $VAULT_SECRET_MOUNT;
helm -n $ARGOCD_APP_NAMESPACE template $ARGOCD_APP_NAME . $(variable_expansion "${HELM_ARGS}")
;;
*)
echo "ERROR invalid invocation argocd-plugin-helm-vault"
exit 1
;;
esac
Raw
argocd-plugin-helmfile-vault.sh
#!/bin/bash
# GNU GENERAL PUBLIC LICENSE
# Version 3, 29 June 2007
# @required $VAULT_SECRET_KEY | $VAULT_SECRET_PATH | $VAULT_SECRET_MOUNT
# @optional $VAULT_ADDR | $VAULT_AUTH_ROLE
# @optional $HELMFILE_FILE | $HELMFILE_ARGS
# @builtin $ARGOCD_APP_NAMESPACE
export HELMFILE_FILE=${HELMFILE_FILE:-"helmfile.yaml"};
variable_expansion() {
# prefer envsubst if available, fallback to perl
if [[ $(which envsubst) ]]; then
echo -n "${@}" | envsubst
else
echo -n "${@}" | perl -pe 's/\$(\{)?([a-zA-Z_]\w*)(?(1)\})/$ENV{$2}/g'
fi
}
phase=$1
case $phase in
"init")
helmfile -f ${HELMFILE_FILE} repos;
;;
"generate")
export VAULT_ADDR=${VAULT_ADDR:-"http://vault.vault:8200"};
export VAULT_AUTH_ROLE=${VAULT_AUTH_ROLE:-"argocd"};
export VAULT_TOKEN=$(vault write -field=token auth/kubernetes/login role=${VAULT_AUTH_ROLE} jwt=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token));
vault kv get -field=$VAULT_SECRET_KEY $VAULT_SECRET_PATH > $VAULT_SECRET_MOUNT;
export HELMFILE_ARGS=${HELMFILE_ARGS:-"-e default"};
helmfile -f ${HELMFILE_FILE} $(variable_expansion "${HELMFILE_ARGS}") --state-values-set ns=$ARGOCD_APP_NAMESPACE \
template --skip-deps |\
sed -e '/WARNING: This chart is deprecated/d' |\
sed -e 's|apiregistration.k8s.io/v1beta1|apiregistration.k8s.io/v1|g'
;;
*)
echo "ERROR invalid invocation argocd-plugin-helmfile-vault"
exit 1
;;
esac
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment