diff --git a/roles/kubernetes/argocd/defaults/main.yml b/roles/kubernetes/argocd/defaults/main.yml index 883441b..b7fbf81 100644 --- a/roles/kubernetes/argocd/defaults/main.yml +++ b/roles/kubernetes/argocd/defaults/main.yml @@ -72,9 +72,30 @@ k8s_argocd_helm__release_values: value: /.config - name: GNUPGHOME value: /home/argocd/.gnupg + - name: HELM_PLUGINS + value: /custom-tools/helm-plugins/ + - name: HELM_SECRETS_SOPS_PATH + value: /custom-tools/sops + - name: HELM_SECRETS_VALS_PATH + value: /custom-tools/vals + - name: HELM_SECRETS_KUBECTL_PATH + value: /custom-tools/kubectl + - name: HELM_SECRETS_CURL_PATH + value: /custom-tools/curl + # https://github.com/jkroepke/helm-secrets/wiki/Security-in-shared-environments + - name: HELM_SECRETS_KEY_LOCATION_PREFIX + value: "/sops-gpg/" + - name: HELM_SECRETS_VALUES_ALLOW_SYMLINKS + value: "false" + - name: HELM_SECRETS_VALUES_ALLOW_ABSOLUTE_PATH + value: "false" + - name: HELM_SECRETS_VALUES_ALLOW_PATH_TRAVERSAL + value: "false" volumes: - name: custom-tools emptyDir: {} + - name: custom-tools-helm + emptyDir: {} - name: gnupg-home emptyDir: {} - name: sops-gpg @@ -91,6 +112,18 @@ k8s_argocd_helm__release_values: - mountPath: /.config/kustomize/plugin/viaduct.ai/v1/ksops/ksops name: custom-tools subPath: ksops + - mountPath: /custom-tools/helm-plugins + name: custom-tools-helm + subPath: helm-plugins + - mountPath: /custom-tools/kubectl + name: custom-tools-helm + subPath: kubectl + - mountPath: /custom-tools/sops + name: custom-tools-helm + subPath: sops + - mountPath: /custom-tools/vals + name: custom-tools-helm + subPath: vals initContainers: - name: 1-install-ksops image: viaductoss/ksops:v3.0.1 @@ -103,7 +136,39 @@ k8s_argocd_helm__release_values: volumeMounts: - mountPath: /custom-tools name: custom-tools - - name: 2-import-gpg-key + - name: 2-download-tools + image: alpine:latest + command: [sh, -ec] + env: + - name: HELM_SECRETS_VERSION + value: "3.12.0" + - name: KUBECTL_VERSION + value: "1.24.3" + - name: VALS_VERSION + value: "0.18.0" + - name: SOPS_VERSION + value: "3.7.3" + args: + - | + echo "Installing helm secrets..."; + mkdir -p /custom-tools/helm-plugins + wget -qO- https://github.com/jkroepke/helm-secrets/releases/download/v${HELM_SECRETS_VERSION}/helm-secrets.tar.gz | tar -C /custom-tools/helm-plugins -xzf-; + echo "Done."; + + echo "Downloading SOPS=${SOPS_VERSION} and kubectl ..."; + wget -qO /custom-tools/sops https://github.com/mozilla/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux + wget -qO /custom-tools/kubectl https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl + echo "Done."; + + echo "Downloading vals..."; + wget -qO- https://github.com/variantdev/vals/releases/download/v${VALS_VERSION}/vals_${VALS_VERSION}_linux_amd64.tar.gz | tar -xzf- -C /custom-tools/ vals; + echo "Done."; + + chmod +x /custom-tools/*; + volumeMounts: + - mountPath: /custom-tools + name: custom-tools-helm + - name: 3-import-gpg-key image: argoproj/argocd:v2.2.5 command: ["gpg", "--import","/sops-gpg/gpg_key_smardigo_automation__private"] env: @@ -126,6 +191,11 @@ k8s_argocd_helm__release_values: requestedScopes: ["openid", "profile", "email", "{{ argo_keycloak_clientscope_name }}"] url: 'https://{{ k8s_argocd_helm__domain }}' kustomize.buildOptions: "--enable-alpha-plugins" + helm.valuesFileSchemes: >- + secrets+gpg-import, secrets+gpg-import-kubernetes, + secrets+age-import, secrets+age-import-kubernetes, + secrets,secrets+literal, + https rbacConfig: policy.default: role:readonly policy.csv: |