|
|
|
@ -72,9 +72,30 @@ k8s_argocd_helm__release_values:
|
|
|
|
value: /.config
|
|
|
|
value: /.config
|
|
|
|
- name: GNUPGHOME
|
|
|
|
- name: GNUPGHOME
|
|
|
|
value: /home/argocd/.gnupg
|
|
|
|
value: /home/argocd/.gnupg
|
|
|
|
|
|
|
|
- name: HELM_PLUGINS
|
|
|
|
|
|
|
|
value: /custom-tools/helm-plugins/
|
|
|
|
|
|
|
|
- name: HELM_SECRETS_SOPS_PATH
|
|
|
|
|
|
|
|
value: /custom-tools/sops
|
|
|
|
|
|
|
|
- name: HELM_SECRETS_VALS_PATH
|
|
|
|
|
|
|
|
value: /custom-tools/vals
|
|
|
|
|
|
|
|
- name: HELM_SECRETS_KUBECTL_PATH
|
|
|
|
|
|
|
|
value: /custom-tools/kubectl
|
|
|
|
|
|
|
|
- name: HELM_SECRETS_CURL_PATH
|
|
|
|
|
|
|
|
value: /custom-tools/curl
|
|
|
|
|
|
|
|
# https://github.com/jkroepke/helm-secrets/wiki/Security-in-shared-environments
|
|
|
|
|
|
|
|
- name: HELM_SECRETS_KEY_LOCATION_PREFIX
|
|
|
|
|
|
|
|
value: "/sops-gpg/"
|
|
|
|
|
|
|
|
- name: HELM_SECRETS_VALUES_ALLOW_SYMLINKS
|
|
|
|
|
|
|
|
value: "false"
|
|
|
|
|
|
|
|
- name: HELM_SECRETS_VALUES_ALLOW_ABSOLUTE_PATH
|
|
|
|
|
|
|
|
value: "false"
|
|
|
|
|
|
|
|
- name: HELM_SECRETS_VALUES_ALLOW_PATH_TRAVERSAL
|
|
|
|
|
|
|
|
value: "false"
|
|
|
|
volumes:
|
|
|
|
volumes:
|
|
|
|
- name: custom-tools
|
|
|
|
- name: custom-tools
|
|
|
|
emptyDir: {}
|
|
|
|
emptyDir: {}
|
|
|
|
|
|
|
|
- name: custom-tools-helm
|
|
|
|
|
|
|
|
emptyDir: {}
|
|
|
|
- name: gnupg-home
|
|
|
|
- name: gnupg-home
|
|
|
|
emptyDir: {}
|
|
|
|
emptyDir: {}
|
|
|
|
- name: sops-gpg
|
|
|
|
- name: sops-gpg
|
|
|
|
@ -91,6 +112,18 @@ k8s_argocd_helm__release_values:
|
|
|
|
- mountPath: /.config/kustomize/plugin/viaduct.ai/v1/ksops/ksops
|
|
|
|
- mountPath: /.config/kustomize/plugin/viaduct.ai/v1/ksops/ksops
|
|
|
|
name: custom-tools
|
|
|
|
name: custom-tools
|
|
|
|
subPath: ksops
|
|
|
|
subPath: ksops
|
|
|
|
|
|
|
|
- mountPath: /custom-tools/helm-plugins
|
|
|
|
|
|
|
|
name: custom-tools-helm
|
|
|
|
|
|
|
|
subPath: helm-plugins
|
|
|
|
|
|
|
|
- mountPath: /custom-tools/kubectl
|
|
|
|
|
|
|
|
name: custom-tools-helm
|
|
|
|
|
|
|
|
subPath: kubectl
|
|
|
|
|
|
|
|
- mountPath: /custom-tools/sops
|
|
|
|
|
|
|
|
name: custom-tools-helm
|
|
|
|
|
|
|
|
subPath: sops
|
|
|
|
|
|
|
|
- mountPath: /custom-tools/vals
|
|
|
|
|
|
|
|
name: custom-tools-helm
|
|
|
|
|
|
|
|
subPath: vals
|
|
|
|
initContainers:
|
|
|
|
initContainers:
|
|
|
|
- name: 1-install-ksops
|
|
|
|
- name: 1-install-ksops
|
|
|
|
image: viaductoss/ksops:v3.0.1
|
|
|
|
image: viaductoss/ksops:v3.0.1
|
|
|
|
@ -103,7 +136,39 @@ k8s_argocd_helm__release_values:
|
|
|
|
volumeMounts:
|
|
|
|
volumeMounts:
|
|
|
|
- mountPath: /custom-tools
|
|
|
|
- mountPath: /custom-tools
|
|
|
|
name: custom-tools
|
|
|
|
name: custom-tools
|
|
|
|
- name: 2-import-gpg-key
|
|
|
|
- name: 2-download-tools
|
|
|
|
|
|
|
|
image: alpine:latest
|
|
|
|
|
|
|
|
command: [sh, -ec]
|
|
|
|
|
|
|
|
env:
|
|
|
|
|
|
|
|
- name: HELM_SECRETS_VERSION
|
|
|
|
|
|
|
|
value: "3.12.0"
|
|
|
|
|
|
|
|
- name: KUBECTL_VERSION
|
|
|
|
|
|
|
|
value: "1.24.3"
|
|
|
|
|
|
|
|
- name: VALS_VERSION
|
|
|
|
|
|
|
|
value: "0.18.0"
|
|
|
|
|
|
|
|
- name: SOPS_VERSION
|
|
|
|
|
|
|
|
value: "3.7.3"
|
|
|
|
|
|
|
|
args:
|
|
|
|
|
|
|
|
- |
|
|
|
|
|
|
|
|
echo "Installing helm secrets...";
|
|
|
|
|
|
|
|
mkdir -p /custom-tools/helm-plugins
|
|
|
|
|
|
|
|
wget -qO- https://github.com/jkroepke/helm-secrets/releases/download/v${HELM_SECRETS_VERSION}/helm-secrets.tar.gz | tar -C /custom-tools/helm-plugins -xzf-;
|
|
|
|
|
|
|
|
echo "Done.";
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
echo "Downloading SOPS=${SOPS_VERSION} and kubectl ...";
|
|
|
|
|
|
|
|
wget -qO /custom-tools/sops https://github.com/mozilla/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux
|
|
|
|
|
|
|
|
wget -qO /custom-tools/kubectl https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl
|
|
|
|
|
|
|
|
echo "Done.";
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
echo "Downloading vals...";
|
|
|
|
|
|
|
|
wget -qO- https://github.com/variantdev/vals/releases/download/v${VALS_VERSION}/vals_${VALS_VERSION}_linux_amd64.tar.gz | tar -xzf- -C /custom-tools/ vals;
|
|
|
|
|
|
|
|
echo "Done.";
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
chmod +x /custom-tools/*;
|
|
|
|
|
|
|
|
volumeMounts:
|
|
|
|
|
|
|
|
- mountPath: /custom-tools
|
|
|
|
|
|
|
|
name: custom-tools-helm
|
|
|
|
|
|
|
|
- name: 3-import-gpg-key
|
|
|
|
image: argoproj/argocd:v2.2.5
|
|
|
|
image: argoproj/argocd:v2.2.5
|
|
|
|
command: ["gpg", "--import","/sops-gpg/gpg_key_smardigo_automation__private"]
|
|
|
|
command: ["gpg", "--import","/sops-gpg/gpg_key_smardigo_automation__private"]
|
|
|
|
env:
|
|
|
|
env:
|
|
|
|
@ -126,6 +191,11 @@ k8s_argocd_helm__release_values:
|
|
|
|
requestedScopes: ["openid", "profile", "email", "{{ argo_keycloak_clientscope_name }}"]
|
|
|
|
requestedScopes: ["openid", "profile", "email", "{{ argo_keycloak_clientscope_name }}"]
|
|
|
|
url: 'https://{{ k8s_argocd_helm__domain }}'
|
|
|
|
url: 'https://{{ k8s_argocd_helm__domain }}'
|
|
|
|
kustomize.buildOptions: "--enable-alpha-plugins"
|
|
|
|
kustomize.buildOptions: "--enable-alpha-plugins"
|
|
|
|
|
|
|
|
helm.valuesFileSchemes: >-
|
|
|
|
|
|
|
|
secrets+gpg-import, secrets+gpg-import-kubernetes,
|
|
|
|
|
|
|
|
secrets+age-import, secrets+age-import-kubernetes,
|
|
|
|
|
|
|
|
secrets,secrets+literal,
|
|
|
|
|
|
|
|
https
|
|
|
|
rbacConfig:
|
|
|
|
rbacConfig:
|
|
|
|
policy.default: role:readonly
|
|
|
|
policy.default: role:readonly
|
|
|
|
policy.csv: |
|
|
|
|
policy.csv: |
|
|
|
|
|
friedrich goerz
3 years ago
committed by
Görz, Friedrich