argocd repo server sops

README.md

@@ -94,6 +94,11 @@ Tools
 
 Defines a sonar-scanner container image. Built from `ploigos-base`.
 
+## argocd-repo-server-sops
+
+Layers [sops](https://github.com/mozilla/sops) and the [helm-secrets](https://github.com/jkroepke/helm-secrets) plugin  ontop of the base argocd-repo-server image.
+
+
 # Automatic Build, Test, and Publish
 
 The following github events to this repository will cause the
@@ -168,6 +173,7 @@ podman build --tag ploigos-tool-jkube       --build-arg BASE_IMAGE=ploigos-tool-
 podman build --tag ploigos-tool-openscap    --build-arg BASE_IMAGE=ploigos-tool-containers ploigos-tool-openscap
 podman build --tag ploigos-tool-autogov     --build-arg BASE_IMAGE=ploigos-autogov         ploigos-tool-autogov
 podman build --tag ploigos-tool-sonar       --build-arg BASE_IMAGE=ploigos-base            ploigos-tool-sonar
+podman build --tag argocd-repo-server-sops  argocd-repo-server-sops
 ```
 
 ## Test

argocd-repo-server-sops/Containerfile.ubi8

@@ -0,0 +1,36 @@
+FROM registry.redhat.io/openshift-gitops-1/argocd-rhel8@sha256:3e6521a3610b23dce99f4eb643171ac9172808e86f3ca4154f5d548a286bb95f
+
+ARG SOPS_VERSION="3.7.1"
+ARG HELM_SECRETS_VERSION="3.8.3"
+ARG SOPS_RPM="https://github.com/mozilla/sops/releases/download/v${SOPS_VERSION}/sops-${SOPS_VERSION}-1.x86_64.rpm"
+ARG HELM_PLUGINS_DIR="/helm-plugins"
+
+USER root
+
+# Install packages
+RUN rpm -i ${SOPS_RPM}
+RUN INSTALL_PKGS="findutils" && \
+    microdnf update -y --nobest && \
+    microdnf install -y --setopt=tsflags=nodocs ${INSTALL_PKGS} && \
+    microdnf clean all && \
+    rm -rf /var/cache /var/log/dnf* /var/log/yum.*
+
+# Install helm wrapper
+# NOTE: this magic works because /usr/local/bin is first on path before /usr/bin
+COPY helm-wrapper.sh /usr/local/bin/helm
+RUN chmod +x /usr/local/bin/helm
+
+# create a place to install helm plugins that isn't tied to a user
+ENV HELM_PLUGINS="${HELM_PLUGINS_DIR}"
+RUN mkdir ${HELM_PLUGINS_DIR} \
+    && chmod a+rw ${HELM_PLUGINS_DIR}
+
+# install plugins
+RUN helm plugin install https://github.com/jkroepke/helm-secrets --version ${HELM_SECRETS_VERSION}
+
+# HACK: for some reason the helm plugin install is not respecting the HELM_PLUGINS env variable
+#	so manually copying the plugins to where we want them
+RUN cp -r ~/.local/share/helm/plugins/* ${HELM_PLUGINS_DIR}/
+
+USER argocd
+

argocd-repo-server-sops/README.md

@@ -0,0 +1,8 @@
+# argocd-repo-server-sops
+extends the argocd server to include the sops and the secrets plugin and updates the helm binary to take advantage of that
+
+## Building
+Requires access to registry.redhat.io to build.
+
+## source
+original source: https://faun.pub/handling-kubernetes-secrets-with-argocd-and-sops-650df91de173

argocd-repo-server-sops/helm-wrapper.sh

@@ -0,0 +1,25 @@
+#! /bin/sh
+
+
+# helm secrets only supports a few helm commands
+if [ $1 = "template" ] || [ $1 = "install" ] || [ $1 = "upgrade" ] || [ $1 = "lint" ] || [ $1 = "diff" ]
+then
+    # Helm secrets add some useless outputs to every commands including template, namely
+    # 'remove: <secret-path>.dec' for every decoded secrets.
+    # As argocd use helm template output to compute the resources to apply, these output
+    # will cause a parsing error from argocd, so we need to remove them.
+    # We cannot use exec here as we need to pipe the output so we call helm in a subprocess and
+    # handle the return code ourselves.
+    out=$(/usr/bin/helm secrets $@)
+    code=$?
+    if [ $code -eq 0 ]; then
+        # printf insted of echo here because we really don't want any backslash character processing
+        printf '%s\n' "$out" | sed -E "/^removed '.+\.dec'$/d"
+        exit 0
+    else
+        exit $code
+    fi
+else
+    # helm.bin is the original helm binary
+    exec /usr/bin/helm $@
+fi