camptocamp / docker-argocd Goto Github PK

Dockerfile 20.05% Shell 79.95%

docker-argocd's Introduction

Argo CD Docker Image

This Argo CD Docker Image contains the necessary tools to make use of Helm value files encrypted using Sops.

The following tools have been added to the image:

GnuPG
Helm Sops

Helm Sops is installed to transparently wrap Helm. This way, there is no need to configure a custom tool in Argo CD and native Helm functionalities can still be used (such as valueFiles or values).

Argo CD repository server binary is wrapped by a shell script which can import a GPG private key if it exists. The key must be located at /app/config/gpg/privkey.asc.

Usage

Encrypting Helm value files

Read Helm Sops documentation to start using Helm encrypted value files.

Deploying Argo CD using the Helm chart

Using the custom image

To use this custom image when deploying Argo CD using the Helm chart, add the following lines to the chart value file:

global:
  image:
    repository: "camptocamp/argocd"
    tag: "v2.8.2_c2c.1"

Using Sops with a GPG key

In order to use Sops with a GPG key, add the following lines to the chart value file:

global:
  securityContext:
    fsGroup: 2000

repoServer:
  volumes:
    - name: "gpg-private-key"
      secret:
        secretName: "argocd-secret"
        items:
          - key: "gpg.privkey.asc"
            path: "privkey.asc"
        defaultMode: 0600
  volumeMounts:
    - name: "gpg-private-key"
      mountPath: "/app/config/gpg/privkey.asc"
      subPath: "privkey.asc"

and add the following lines to an encrypted value file (the GPG private key can be exported by running gpg --export-secret-keys --armor <key ID>:

configs:
  secret:
    extra:
      gpg.privkey.asc: |
        -----BEGIN PGP PRIVATE KEY BLOCK-----
        
        ...
        -----END PGP PRIVATE KEY BLOCK-----

Using Sops with an AWS KMS key

In order to use Sops with an AWS KMS key and if instance profiles cannot be used, add the following lines to the chart value file:

repoServer:
  env:
    - name: "AWS_ACCESS_KEY_ID"
      valueFrom:
        secretKeyRef:
          name: "argocd-secret"
          key: "aws.accessKeyId"
    - name: "AWS_SECRET_ACCESS_KEY"
      valueFrom:
        secretKeyRef:
          name: "argocd-secret"
          key: "aws.secretAccessKey"

and add the following lines to an encrypted value file (create a dedicated IAM Access Key):

configs:
  secret:
    extra:
      aws.accessKeyId: <Access Key ID>
      aws.secretAccessKey: <Secret Access Key>

Using Sops with AGE key

Install the Age tool and run the below command to generate a new key:

age-keygen -o key.txt

In order to use Sops with a Age key, add the following lines to the chart value file:

      repoServer:
        env:
          - name: SOPS_AGE_KEY_FILE
            value: /app/config/age/keys.txt
        volumeMounts:
          - mountPath: /app/config/age/keys.txt
            name: sops-age
            subPath: keys.txt
        volumes:
          - name: sops-age
            secret:
              defaultMode: 420
              items:
              - key: keys.txt
                path: keys.txt
              secretName: argocd-secret

and add the following lines to add key.txt (Add data of sops age key file):

configs:
  secret:
    extra:
      keys.txt: |
       ...

Example application

An example application as well as an example Argo CD setup to deploy it can be found here.

docker-argocd's People

Contributors

Stargazers

Watchers

Forkers

somaliz vliu18 kkrampa janavenkat sewci0 longngn neovops tanandy m-yosefpor firecyberice vsfedorenko rtang03 salanisor snapp-incubator matrix-org rrednaxela ckaenzig jbarascut alexrogalskiy

docker-argocd's Issues

Issue: exec argocd-repo-server failed: Permission denied

Hi
I need helm and sops support in my argocd , i know there have release for v2.0 now
But i just need to try so i try 1.8.5 version

I try using the same Dockerfile and argocd-repo-server-wrapper and then upload to our own docker repo
I am using back 1.8.5 install script from argo https://raw.githubusercontent.com/argoproj/argo-cd/v1.8.6/manifests/install.yaml
and modify the repo-sever image

However it turn to CrashLoopBackOff with below error logs
[FATAL tini (7)] exec argocd-repo-server failed: Permission denied

But when i using directly from camptocamp image without change other setting , its is fine
repository: "camptocamp/argocd"
tag: "v1.8.5_c2c.1"

so i wonder something is missing from the Dockerfile or the argocd-repo-server-wrapper

Anyone can help

Support new argocd version 2.0.x

Seems the wrapper is not compatible with the latest ArgoCD version because the repo-server will be a symlink to argocd binary in 1.9.x / 2.0.x

Planned support for age ?

Hello, this is more a request than an issue :)
Is it planned to have this image also supporting age ?

Error getting data key: 0 successful groups required, got 0

Upon following the README steps very closely I am seemingly stuck on retrieving the key for KMS from within argo. I am trying to deploy a custom chart.

I have added the following to my argocd's chart values.yaml.

repoServer:
  env:
    - name: "AWS_ACCESS_KEY_ID"
      valueFrom:
        secretKeyRef:
          name: "argocd-secret"
          key: "aws.accessKeyId"
    - name: "AWS_SECRET_ACCESS_KEY"
      valueFrom:
        secretKeyRef:
          name: "argocd-secret"
          key: "aws.secretAccessKey"

I have also encrypted a secrets.yaml file in the argocd chart with the following format:

configs:
  secret:
    extra:
      aws.accessKeyId: <Access Key ID>
      aws.secretAccessKey: <Secret Access Key>

I have installed helm-sops locally and I have tested decrypting and encrypting with the IAM user which those AWS access creds relate to. The output of helm-sops template ... on my host machine properly handles decrypting the secrets.yaml file of the target chart I am trying to use.

The error seems to point towards not being able to retrieve the KMS key from within the argo-server (which was deployed with the argocd chart with the special configs mentioned above).

Upon inspection of the argocd-repo-server pod (created as a result on the chart install) I actually do not see the env var AWS_ACCESS_KEY_ID or AWS_SECRET_ACCESS_KEY. I feel like I should? i.e. the results of kubectl exec -n argocd argocd-repo-server-64bf999468-ls6m9 -- printenv does not yield the vars above.

gpg issue - /app/config/gpg/keys: no such file or directory

I've followed the documentation on "Using Sops with a GPG key" but the container ceases to start due to the following:

gpg: directory '/home/argocd/.gnupg' created
gpg: keybox '/home/argocd/.gnupg/pubring.kbx' created
gpg: /home/argocd/.gnupg/trustdb.gpg: trustdb created
gpg: key 5C863630055D4A17: public key "XYZ" imported
gpg: key 5C863630055D4A17: secret key imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1
time="2020-12-14T11:05:33Z" level=info msg="Initializing GnuPG keyring at /app/config/gpg/keys"
time="2020-12-14T11:05:33Z" level=fatal msg="stat /app/config/gpg/keys: no such file or directory"

I've used the v1.8.1_c2c.1 image and also tried the previous one.

My configuration (helmfile):

    values:
      - global:
          image:
            repository: "camptocamp/argocd"
#            tag: "v1.8.1_c2c.1"
            tag: "v1.7.10_c2c.1"
          securityContext:
            fsGroup: 2000
      - repoServer:
          volumes:
            - name: "gpg-private-key"
              secret:
                secretName: "argocd-secret"
                items:
                  - key: "gpg.privkey.asc"
                    path: "privkey.asc"
                defaultMode: 0600
          volumeMounts:
            - name: "gpg-private-key"
              mountPath: "/app/config/gpg"
      - configs:
          secret:
            extra:
              gpg.privkey.asc: |-
                {{ .Values | get "GPG_PRIVKEY_FOR_HELM" "" | nindent 18 }}