server:
config:
# https://github.com/argoproj/argo-cd/blob/master/docs/user-guide/config-management-plugins.md#plugins
configManagementPlugins: |
- name: vault
init:
command: ["/bin/sh", "-c"]
args:
- >-
export VAULT_ADDR=http://vault.vault:8200;
export VAULT_TOKEN=$(vault write -field=token auth/kubernetes/login role=argocd jwt=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token));
vault kv get -field=$VAULT_SECRET_KEY $VAULT_SECRET_PATH > $VAULT_SECRET_MOUNT;
- name: helm-vault
init:
command: ["argocd-plugin-helm-vault"]
args: ['init']
generate:
command: ["argocd-plugin-helm-vault"]
args: ['generate']
- name: helmfile-vault
init:
command: ["argocd-plugin-helmfile-vault"]
args: ['init']
generate:
command: ["argocd-plugin-helmfile-vault"]
args: ['generate']
repoServer:
volumes:
- name: custom-tools
emptyDir: {}
volumeMounts:
- mountPath: /usr/local/bin/helmfile
name: custom-tools
subPath: helmfile
- mountPath: /usr/local/bin/vault
name: custom-tools
subPath: vault
- mountPath: /usr/local/bin/argocd-plugin-helmfile-vault
name: custom-tools
subPath: argocd-plugin-helmfile-vault
- mountPath: /usr/local/bin/argocd-plugin-helm-vault
name: custom-tools
subPath: argocd-plugin-helm-vault
initContainers:
- name: download-tools
image: abdennour/curl-zip:alpine-3.13
command: [sh, -c]
args:
- >-
curl -SsL -o /custom-tools/helmfile https://github.com/roboll/helmfile/releases/download/v0.138.2/helmfile_linux_amd64
&& curl -SsL -o /tmp/vault.zip https://releases.hashicorp.com/vault/1.5.0/vault_1.5.0_linux_amd64.zip
&& unzip /tmp/vault.zip -d /custom-tools/
&& curl -SsL -o /custom-tools/argocd-plugin-helmfile-vault https://gist.githubusercontent.com/abdennour/36618a85f56a10126286ae5b287eb0ed/raw/c61fbc43cf609493afa762d02574611514d8f8b0/argocd-plugin-helmfile-vault.sh
&& curl -SsL -o /custom-tools/argocd-plugin-helm-vault https://gist.githubusercontent.com/abdennour/36618a85f56a10126286ae5b287eb0ed/raw/092a93a698771754ac0e36091cdcf3504b85d6f6/argocd-plugin-helm-vault.sh
&& chmod +x /custom-tools/*
volumeMounts:
- mountPath: /custom-tools
name: custom-tools
Last active
March 6, 2021 18:05
-
-
Save abdennour/36618a85f56a10126286ae5b287eb0ed to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# GNU GENERAL PUBLIC LICENSE | |
# Version 3, 29 June 2007 | |
# @required $VAULT_SECRET_KEY | $VAULT_SECRET_PATH | $VAULT_SECRET_MOUNT | |
# @optional $VAULT_ADDR | $VAULT_AUTH_ROLE | |
# @optional $HELM_ARGS | |
# @builtin $ARGOCD_APP_NAMESPACE | $ARGOCD_APP_NAME | |
variable_expansion() { | |
# prefer envsubst if available, fallback to perl | |
if [[ $(which envsubst) ]]; then | |
echo -n "${@}" | envsubst | |
else | |
echo -n "${@}" | perl -pe 's/\$(\{)?([a-zA-Z_]\w*)(?(1)\})/$ENV{$2}/g' | |
fi | |
} | |
phase=$1 | |
case $phase in | |
"init") | |
helm dep update; | |
;; | |
"generate") | |
export VAULT_ADDR=${VAULT_ADDR:-"http://vault.vault:8200"}; | |
export VAULT_AUTH_ROLE=${VAULT_AUTH_ROLE:-"argocd"}; | |
export VAULT_TOKEN=$(vault write -field=token auth/kubernetes/login role=${VAULT_AUTH_ROLE} jwt=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)); | |
vault kv get -field=$VAULT_SECRET_KEY $VAULT_SECRET_PATH > $VAULT_SECRET_MOUNT; | |
helm -n $ARGOCD_APP_NAMESPACE template $ARGOCD_APP_NAME . $(variable_expansion "${HELM_ARGS}") | |
;; | |
*) | |
echo "ERROR invalid invocation argocd-plugin-helm-vault" | |
exit 1 | |
;; | |
esac |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# GNU GENERAL PUBLIC LICENSE | |
# Version 3, 29 June 2007 | |
# @required $VAULT_SECRET_KEY | $VAULT_SECRET_PATH | $VAULT_SECRET_MOUNT | |
# @optional $VAULT_ADDR | $VAULT_AUTH_ROLE | |
# @optional $HELMFILE_FILE | $HELMFILE_ARGS | |
# @builtin $ARGOCD_APP_NAMESPACE | |
export HELMFILE_FILE=${HELMFILE_FILE:-"helmfile.yaml"}; | |
variable_expansion() { | |
# prefer envsubst if available, fallback to perl | |
if [[ $(which envsubst) ]]; then | |
echo -n "${@}" | envsubst | |
else | |
echo -n "${@}" | perl -pe 's/\$(\{)?([a-zA-Z_]\w*)(?(1)\})/$ENV{$2}/g' | |
fi | |
} | |
phase=$1 | |
case $phase in | |
"init") | |
helmfile -f ${HELMFILE_FILE} repos; | |
;; | |
"generate") | |
export VAULT_ADDR=${VAULT_ADDR:-"http://vault.vault:8200"}; | |
export VAULT_AUTH_ROLE=${VAULT_AUTH_ROLE:-"argocd"}; | |
export VAULT_TOKEN=$(vault write -field=token auth/kubernetes/login role=${VAULT_AUTH_ROLE} jwt=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)); | |
vault kv get -field=$VAULT_SECRET_KEY $VAULT_SECRET_PATH > $VAULT_SECRET_MOUNT; | |
export HELMFILE_ARGS=${HELMFILE_ARGS:-"-e default"}; | |
helmfile -f ${HELMFILE_FILE} $(variable_expansion "${HELMFILE_ARGS}") --state-values-set ns=$ARGOCD_APP_NAMESPACE \ | |
template --skip-deps |\ | |
sed -e '/WARNING: This chart is deprecated/d' |\ | |
sed -e 's|apiregistration.k8s.io/v1beta1|apiregistration.k8s.io/v1|g' | |
;; | |
*) | |
echo "ERROR invalid invocation argocd-plugin-helmfile-vault" | |
exit 1 | |
;; | |
esac |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment