Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to add helm.valuesFileSchemes field in argocd-cm Config Map #379

Closed
priyas16 opened this issue Jun 16, 2023 · 7 comments
Closed

Unable to add helm.valuesFileSchemes field in argocd-cm Config Map #379

priyas16 opened this issue Jun 16, 2023 · 7 comments
Labels
bug Something isn't working Stale

Comments

@priyas16
Copy link

Current Behavior

Hi Team,

We are trying to install helm using values.yaml which we have encrypted using sops and will be referencing it when we create the Application following the below link.

https://github.com/jkroepke/helm-secrets/wiki/ArgoCD-Integration

In this process we are unable to add the helm.valuesFileSchemes field in argocd-cm Config Map, where after adding it the change is not reflecting or the values get reverted back when we reload it after saving.

Also we are using the RedHat OpenShift GitOps operator, so could you please let us know if it is possible to add the helm.valuesFileSchemes field in it. If so, where can we add it in the operator.

Thanks!!

Expected Behavior

No response

Steps To Reproduce

No response

Environment

  • Helm Version: 3
  • Helm Secrets Version:
  • ArgoCD Version - v2.7.2+cbee7e6
  • OS:
  • Shell:

Anything else?

No response
@priyas16 priyas16 added the bug Something isn't working label Jun 16, 2023
@jkroepke
Copy link
Owner

I'm not aware of the RedHat Openshift GitOps thing, but it seems like the operator may reverts the config.

In case, RedHat uses the offical ArgoCD Operator in background, than I could found this argoproj-labs/argocd-operator#583

If you could run oc get argocd, they you may find an ArgoCD manifest, where you add this:

spec:
  extraConfig:
    "helm.valuesFileSchemes": >-
      secrets+gpg-import, secrets+gpg-import-kubernetes,
      secrets+age-import, secrets+age-import-kubernetes,
      secrets,secrets+literal,
      https

If the config is accepted, then the argocd-cm should have the value.

If not, pretty sure you ask the RedHat support how to define custom ArgoCD settings.

@kishah-lilly
Copy link

kishah-lilly commented Jun 16, 2023
edited
Loading

The extraConfig was accepted, thanks @jkroepke. We are going through the documentation and wondering how this would work with the following ArgoCD application:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: splunk-opentelemetry
  namespace: openshift-gitops
spec:
  destination:
    namespace: splunk-opentelemetry
    server: 'https://kubernetes.default.svc'
  project: default
  sources:
  - repoURL: 'https://signalfx.github.io/splunk-otel-collector-chart'
    chart: splunk-otel-collector
    targetRevision: 0.78.0
    helm:
      valueFiles:
      - $values/location-of-values-file/values.enc.yaml
  - repoURL: 'https://github.com/location-of-repo'
    targetRevision: HEAD
    ref: values

How would we use - secrets+age-import:///helm-secrets-private-keys/key.txt?values_enc.yaml if we have to use $values path prefix based on the ArgoCD documentation?

If there is a limitation on the ArgoCD side, is there an alternative way to achieve the same? We only need to encrypt the accessToken value in the values.yaml file of the Splunk Helm chart at the end of the day. Do you think pulling the chart locally and then re-writing the Application spec to point to the local chart would work better, how would that look like?

Thanks!!

@jkroepke
Copy link
Owner

if we have to use $values path prefix based on the ArgoCD documentation?

Good catch, in short: Multi Source Applications and helm secrets are not compatible. See: argoproj/argo-cd#11866

There is an hack documented to add some compatibility with multi-source apps, however I can not really recommend it.

https://github.com/jkroepke/helm-secrets/wiki/ArgoCD-Integration#multi-source-application-support-beta

Do you think pulling the chart locally and then re-writing the Application spec to point to the local chart would work better, how would that look like?

Yes. I would recommend a local umbrella chart which has an dependency against the Splunk chart. and add a secrets.yaml next to the values.yaml

@kishah-lilly
Copy link

kishah-lilly commented Jun 19, 2023
edited
Loading

if we have to use $values path prefix based on the ArgoCD documentation?

Good catch, in short: Multi Source Applications and helm secrets are not compatible. See: argoproj/argo-cd#11866

There is an hack documented to add some compatibility with multi-source apps, however I can not really recommend it.

https://github.com/jkroepke/helm-secrets/wiki/ArgoCD-Integration#multi-source-application-support-beta

Do you think pulling the chart locally and then re-writing the Application spec to point to the local chart would work better, how would that look like?

Yes. I would recommend a local umbrella chart which has an dependency against the Splunk chart. and add a secrets.yaml next to the values.yaml

When I pull the whole Splunk chart locally and commit it to git, it seems to work fine however,

when I try the umbrella chart approach (which would be ideal) it throws an error:

failed exit status 1: Error: values don't meet the specifications of the schema(s) in the following chart(s): splunk-otel-collector: - clusterName: String length must be greater than or equal to 1

This is my umbrella Chart.yaml:

apiVersion: v2
name: splunk-otel-collector
description: Subchart for splunk-otel-collector
type: application
version: 0.1.0
dependencies:
- name: splunk-otel-collector
  version: 0.78.0
  repository: https://signalfx.github.io/splunk-otel-collector-chart

The values.enc.yaml file resides in the same folder as the Chart.yaml.

As a side question, is it possible to use a non-encrypted values.yaml file + another encrypted file that contains the accessToken value? This way the whole values.yaml file doesn't have to be encrypted and diff-ing against the upstream values.yaml for upgrades is easier. Is this what the following is doing?
https://github.com/jkroepke/helm-secrets/blob/main/examples/argo-cd/app.yaml:

fileParameters:
        - name: podAnnotations.fromFile
          path: 'secrets+gpg-import-kubernetes://helm-secrets-private-keys#key.asc?./files/file.properties'

Would it look like this for my use case?

fileParameters:
        - name: accessToken.fromFile
          path: 'secrets+age-import:///helm-secrets-private-keys#key.txt?accessToken.enc.yaml'

Thanks so much!!

@jkroepke
Copy link
Owner

when I try the umbrella chart approach (which would be ideal) it throws an error:

If you use an umbrella chart, mention that you have to shift you values. See https://helm.sh/docs/chart_template_guide/subcharts_and_globals/#adding-values-and-a-template-to-the-subchart

@github-actions
Copy link
Contributor

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

@github-actions github-actions bot added the Stale label Jul 21, 2023
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Jul 26, 2023
@claneys
Copy link

claneys commented Dec 15, 2023

Hello there,

Found in trouble for the same reason. I use a workaround that is enough my use case now. I just set the SOPS_AGE_KEY environment variable and use the init container as recommended in the ArgoCD Integration guide and just not use secrets schemes. ArgoCD is satisfy by having the reference variable at the beginning of the string and everything is fine.

Doing this limits you to only 1 key to decrypt your files but as the wrapper use 'helm secrets' plugin in any case, it renders the manifests correctly.

Here my argocd-repo-server patch I use:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: argocd-repo-server
spec:
  template:
    spec:
      volumes:
        - name: custom-tools
          emptyDir: {}
      initContainers:
        - name: helm-secret
          image: alpine:latest
          imagePullPolicy: IfNotPresent
          env:
            - name: KUBECTL_VERSION
              value: "1.28.3"
            - name: SOPS_VERSION
              value: "3.8.1"
            - name: HELM_SECRETS_VERSION
              value: "4.5.1"
          command: [sh, -ec]
          args:
            - |
              mkdir -p /custom-tools/helm-plugins
              wget -qO- https://github.com/jkroepke/helm-secrets/releases/download/v${HELM_SECRETS_VERSION}/helm-secrets.tar.gz | tar -C /custom-tools/helm-plugins -xzf-;
              wget -qO /custom-tools/sops https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux.amd64
              wget -qO /custom-tools/curl https://github.com/moparisthebest/static-curl/releases/latest/download/curl-amd64
              wget -qO /custom-tools/kubectl https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl
              cp /custom-tools/helm-plugins/helm-secrets/scripts/wrapper/helm.sh /custom-tools/helm
              chmod +x /custom-tools/*
          volumeMounts:
            - mountPath: /custom-tools
              name: custom-tools
        - name: install-ksops
          image: viaductoss/ksops:v4.3.0
          command: ["/bin/sh", "-c"]
          args:
            - echo "Installing KSOPS...";
              mv ksops /custom-tools/;
              mv kustomize /custom-tools/;
              echo "Done.";
          volumeMounts:
            - mountPath: /custom-tools
              name: custom-tools
      containers:
        - name: argocd-repo-server
          volumeMounts:
            - mountPath: /custom-tools
              name: custom-tools
            - mountPath: /usr/local/sbin/helm
              name: custom-tools
              subPath: helm
            - mountPath: /usr/local/bin/kustomize
              name: custom-tools
              subPath: kustomize
            - mountPath: /usr/local/bin/ksops
              name: custom-tools
              subPath: ksops
          env:
            - name: HELM_PLUGINS
              value: /custom-tools/helm-plugins/
            - name: HELM_SECRETS_CURL_PATH
              value: /custom-tools/curl
            - name: HELM_SECRETS_SOPS_PATH
              value: /custom-tools/sops
            - name: HELM_SECRETS_KUBECTL_PATH
              value: /custom-tools/kubectl
            - name: HELM_SECRETS_BACKEND
              value: sops
            - name: HELM_SECRETS_VALUES_ALLOW_SYMLINKS
              value: "false"
            - name: HELM_SECRETS_VALUES_ALLOW_ABSOLUTE_PATH
              value: "true"
            - name: HELM_SECRETS_VALUES_ALLOW_PATH_TRAVERSAL
              value: "false"
            - name: HELM_SECRETS_WRAPPER_ENABLED
              value: "true"
            - name: HELM_SECRETS_DECRYPT_SECRETS_IN_TMP_DIR
              value: "true"
            - name: HELM_SECRETS_HELM_PATH
              value: /usr/local/bin/helm
            - name: SOPS_AGE_KEY
              valueFrom:
                secretKeyRef:
                  name: argocd-age-credentials
                  key: age_secret_key

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working Stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@claneys @jkroepke @kishah-lilly @priyas16