From 2494f2002b93067a4eb6bc283527e586eccc6c0c Mon Sep 17 00:00:00 2001
From: friedrich goerz <friedrich.goerz@netgo.de>
Date: Mon, 4 Jul 2022 23:12:37 +0200
Subject: [PATCH] DEV-497/DEV-505: added stuff to enable helm secrets in argo

---
 group_vars/stage_devscr/argocd.yml | 49 +++++++++++++++++++++++++++++-
 1 file changed, 48 insertions(+), 1 deletion(-)

diff --git a/group_vars/stage_devscr/argocd.yml b/group_vars/stage_devscr/argocd.yml
index a3dff24..d4645a6 100644
--- a/group_vars/stage_devscr/argocd.yml
+++ b/group_vars/stage_devscr/argocd.yml
@@ -37,6 +37,25 @@ k8s_argocd_helm__release_values:
         value: /.config
       - name: GNUPGHOME
         value: /home/argocd/.gnupg
+      - name: HELM_PLUGINS
+        value: /custom-tools/helm-plugins/
+      - name: HELM_SECRETS_HELM_PATH
+        value: /usr/local/bin/helm
+      - name: HELM_SECRETS_SOPS_PATH
+        value: /custom-tools/sops
+      - name: HELM_SECRETS_KUBECTL_PATH
+        value: /custom-tools/kubectl
+      - name: HELM_SECRETS_CURL_PATH
+        value: /custom-tools/curl
+      # https://github.com/jkroepke/helm-secrets/wiki/Security-in-shared-environments
+      - name: HELM_SECRETS_VALUES_ALLOW_SYMLINKS
+        value: "false"
+      - name: HELM_SECRETS_VALUES_ALLOW_ABSOLUTE_PATH
+        value: "false"
+      - name: HELM_SECRETS_VALUES_ALLOW_PATH_TRAVERSAL
+        value: "false"
+      - name: HELM_SECRETS_KEY_LOCATION_PREFIX
+        value: "/sops-gpg/"
     volumes:
       - name: custom-tools
         emptyDir: {}
@@ -68,7 +87,30 @@ k8s_argocd_helm__release_values:
         volumeMounts:
           - mountPath: /custom-tools
             name: custom-tools
-      - name: 2-import-gpg-key
+      - name: 2-download-tools
+        image: alpine:latest
+        command: ["/bin/sh", "-ec"]
+        env:
+          - name: HELM_SECRETS_VERSION
+            value: "3.12.0"
+          - name: SOPS_VERSION
+            value: "3.7.1"
+          - name: KUBECTL_VERSION
+            value: "1.22.0"
+        args:
+          - |
+            mkdir -p /custom-tools/helm-plugins
+            wget -qO- https://github.com/jkroepke/helm-secrets/releases/download/v${HELM_SECRETS_VERSION}/helm-secrets.tar.gz | tar -C /custom-tools/helm-plugins -xzf-;
+
+            wget -qO /custom-tools/sops https://github.com/mozilla/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux
+            wget -qO /custom-tools/kubectl https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl
+            wget -qO /custom-tools/curl https://github.com/moparisthebest/static-curl/releases/latest/download/curl-amd64 \
+
+            chmod +x /custom-tools/*
+        volumeMounts:
+          - mountPath: /custom-tools
+            name: custom-tools
+      - name: 3-import-gpg-key
         image: argoproj/argocd:v2.2.5
         command: ["gpg", "--import","/sops-gpg/gpg_key_smardigo_automation__private"]
         env:
@@ -84,6 +126,11 @@ k8s_argocd_helm__release_values:
     logFormat: json
     config:
       url: 'https://{{ k8s_argocd_helm__domain }}'
+      helm.valuesFileSchemes: >-
+        secrets+gpg-import, secrets+gpg-import-kubernetes,
+        secrets+age-import, secrets+age-import-kubernetes,
+        secrets,
+        https
       kustomize.buildOptions: "--enable-alpha-plugins"
     rbacConfig:
       policy.default: role:readonly