camptocamp / docker-argocd Goto Github PK

Hello, this is more a request than an issue :)
Is it planned to have this image also supporting age ?

Upon following the README steps very closely I am seemingly stuck on retrieving the key for KMS from within argo. I am trying to deploy a custom chart.

I have added the following to my argocd's chart values.yaml.

repoServer:
  env:
    - name: "AWS_ACCESS_KEY_ID"
      valueFrom:
        secretKeyRef:
          name: "argocd-secret"
          key: "aws.accessKeyId"
    - name: "AWS_SECRET_ACCESS_KEY"
      valueFrom:
        secretKeyRef:
          name: "argocd-secret"
          key: "aws.secretAccessKey"

I have also encrypted a secrets.yaml file in the argocd chart with the following format:

configs:
  secret:
    extra:
      aws.accessKeyId: <Access Key ID>
      aws.secretAccessKey: <Secret Access Key>

I have installed helm-sops locally and I have tested decrypting and encrypting with the IAM user which those AWS access creds relate to. The output of helm-sops template ... on my host machine properly handles decrypting the secrets.yaml file of the target chart I am trying to use.

The error seems to point towards not being able to retrieve the KMS key from within the argo-server (which was deployed with the argocd chart with the special configs mentioned above).

Upon inspection of the argocd-repo-server pod (created as a result on the chart install) I actually do not see the env var AWS_ACCESS_KEY_ID or AWS_SECRET_ACCESS_KEY. I feel like I should? i.e. the results of kubectl exec -n argocd argocd-repo-server-64bf999468-ls6m9 -- printenv does not yield the vars above.

Seems the wrapper is not compatible with the latest ArgoCD version because the repo-server will be a symlink to argocd binary in 1.9.x / 2.0.x

I've followed the documentation on "Using Sops with a GPG key" but the container ceases to start due to the following:

gpg: directory '/home/argocd/.gnupg' created
gpg: keybox '/home/argocd/.gnupg/pubring.kbx' created
gpg: /home/argocd/.gnupg/trustdb.gpg: trustdb created
gpg: key 5C863630055D4A17: public key "XYZ" imported
gpg: key 5C863630055D4A17: secret key imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1
time="2020-12-14T11:05:33Z" level=info msg="Initializing GnuPG keyring at /app/config/gpg/keys"
time="2020-12-14T11:05:33Z" level=fatal msg="stat /app/config/gpg/keys: no such file or directory"

I've used the v1.8.1_c2c.1 image and also tried the previous one.

My configuration (helmfile):

    values:
      - global:
          image:
            repository: "camptocamp/argocd"
#            tag: "v1.8.1_c2c.1"
            tag: "v1.7.10_c2c.1"
          securityContext:
            fsGroup: 2000
      - repoServer:
          volumes:
            - name: "gpg-private-key"
              secret:
                secretName: "argocd-secret"
                items:
                  - key: "gpg.privkey.asc"
                    path: "privkey.asc"
                defaultMode: 0600
          volumeMounts:
            - name: "gpg-private-key"
              mountPath: "/app/config/gpg"
      - configs:
          secret:
            extra:
              gpg.privkey.asc: |-
                {{ .Values | get "GPG_PRIVKEY_FOR_HELM" "" | nindent 18 }}

Hi
I need helm and sops support in my argocd , i know there have release for v2.0 now
But i just need to try so i try 1.8.5 version

I try using the same Dockerfile and argocd-repo-server-wrapper and then upload to our own docker repo
I am using back 1.8.5 install script from argo https://raw.githubusercontent.com/argoproj/argo-cd/v1.8.6/manifests/install.yaml
and modify the repo-sever image

However it turn to CrashLoopBackOff with below error logs
[FATAL tini (7)] exec argocd-repo-server failed: Permission denied

But when i using directly from camptocamp image without change other setting , its is fine
repository: "camptocamp/argocd"
tag: "v1.8.5_c2c.1"

so i wonder something is missing from the Dockerfile or the argocd-repo-server-wrapper

Anyone can help