Add support for multi-source ArgoCD applications

[jeroen-s]

Problem Statement

ArgoCD 2.6.0-RC1 finally introduced multi-source applications. It would be great if helm-secrets also supported this feature.

Proposed Solution

For the end user it might look something like:

spec:
  sources:
    - repoURL: git@github.com:my/repo.git
      targetRevision: main
      ref: values
    - repoURL: https://my-repo.github.io/helm-charts
      chart: my-chart
      targetRevision: 1.0
      helm:
        valueFiles:
          - $values/some-path/values.yaml
          - secrets://$values/some-path/secrets.yaml

Environment

• ArgoCD Version: 2.6.0-RC1
• Helm Secrets Version: 3.12.0

Additional information

No response

Acceptance Criteria

No response

[jkroepke]

Whats the error you receive?

[jete-vian]

argoproj/argo-cd#11863

• ArgoCD Version 2.6.0-RC1 & RC2
• Helm Secrets 3.12.0

failed exit status 1: [helm-secrets] File does not exist: /helm/external-values/argo-workflows/dev.enc.values.yaml Error: plugin "scripts/run.sh downloader" exited with error

It appears the variable (from reference repository) comes across as empty.

[jkroepke]

It seems expected for now

The $values variable may only be specified at the beginning of the value file path.

https://github.com/ishitasequeira/argo-cd/blob/bbb92408a6549c262f4557253008cdd029f27b16/docs/user-guide/multiple_sources.md#helm-value-files-from-external-git-repository

[jkroepke]

And here is the code.

https://github.com/argoproj/argo-cd/blob/8ee438726877053c9adb1dfc0a8489b30df75681/reposerver/repository/repository.go#L1121-L1134

which validates, if an URL is used, the variable is not evaluated.

[jkroepke]

From my point of view, I can't do anything. If the feature goes live as is, I have to change the docs what the url based method is not working with multi apps.

[jete-vian]

So, since it starts with secrets+gpg-import:///helm-secrets-private-keys/key.asc and not $variable, ArgoCD will not resolve the variable.

Thank you for looking.

[jkroepke]

Are you using sops or vals backend?

[jete-vian]

Yes, I'm using sops (3.7.3)

[jkroepke]

I have raised a question in Community Slack about this situation.

---

Edit: In Slack, they said that they want to support this use-case.

[sanster23]

+1 for this feature

[jkroepke]

@sanster23 Thats cool. but if you read the comments above, its up to ArgoCD to support/re-implement this.

[jete-vian]

Sadly, doesn't seem like it's going to be revisited in 2.6.

[jkroepke]

PR upstream opened: argoproj/argo-cd#11966

[jkroepke]

It seems like the PR has no chance, since ArgoCD developers are not fine the proposal (I can understand the reasons).

With vals backend, some workarounds exists, e.g. by set HELM_SECRETS_EVALUATE_TEMPLATES=true and HELM_SECRETS_EVALUATE_TEMPLATES_DECODE_SECRETS=true with unknown side-effects yet.

[almereyda]

That's a pity to hear, but thanks for trying nevertheless.

How would the described workaround be implemented, e.g. how would a complete example of such workaround look like, if I may ask?

[jkroepke]

If HELM_SECRETS_EVALUATE_TEMPLATES=true is enabled, helm-secrets will be used the post-renderer functionally of helm. All rendered manifests including the unevaluated vals expressions will be passed to val eval and evaluated.

This is a solution for vals backend only and secrets:// scheme of values files needs to be omit inside the ArgoCD Application file.

But there is no solution for sops users yet.

[jkroepke]

@jeroen-s @sanster23 @jete-vian @almereyda can you take a look here?

https://github.com/jkroepke/helm-secrets/blob/argocd-docs/docs/ArgoCD%20Integration.md

I updated the documentation and added a section about multi-source apps and update the installations instructions. It's not fully tested yet.

Feedback here: #340