Skip to content

Latest commit

 

History

History
141 lines (107 loc) · 3.69 KB

README.md

File metadata and controls

141 lines (107 loc) · 3.69 KB

Argo CD Docker Image

This Argo CD Docker Image contains the necessary tools to make use of Helm value files encrypted using Sops.

The following tools have been added to the image:

Helm Sops is installed to transparently wrap Helm. This way, there is no need to configure a custom tool in Argo CD and native Helm functionalities can still be used (such as valueFiles or values).

Argo CD repository server binary is wrapped by a shell script which can import a GPG private key if it exists. The key must be located at /app/config/gpg/privkey.asc.

Usage

Encrypting Helm value files

Read Helm Sops documentation to start using Helm encrypted value files.

Deploying Argo CD using the Helm chart

Using the custom image

To use this custom image when deploying Argo CD using the Helm chart, add the following lines to the chart value file:

global:
  image:
    repository: "camptocamp/argocd"
    tag: "v2.11.3_c2c.1"

Using Sops with a GPG key

In order to use Sops with a GPG key, add the following lines to the chart value file:

global:
  securityContext:
    fsGroup: 2000

repoServer:
  volumes:
    - name: "gpg-private-key"
      secret:
        secretName: "argocd-secret"
        items:
          - key: "gpg.privkey.asc"
            path: "privkey.asc"
        defaultMode: 0600
  volumeMounts:
    - name: "gpg-private-key"
      mountPath: "/app/config/gpg/privkey.asc"
      subPath: "privkey.asc"

and add the following lines to an encrypted value file (the GPG private key can be exported by running gpg --export-secret-keys --armor <key ID>:

configs:
  secret:
    extra:
      gpg.privkey.asc: |
        -----BEGIN PGP PRIVATE KEY BLOCK-----
        
        ...
        -----END PGP PRIVATE KEY BLOCK-----

Using Sops with an AWS KMS key

In order to use Sops with an AWS KMS key and if instance profiles cannot be used, add the following lines to the chart value file:

repoServer:
  env:
    - name: "AWS_ACCESS_KEY_ID"
      valueFrom:
        secretKeyRef:
          name: "argocd-secret"
          key: "aws.accessKeyId"
    - name: "AWS_SECRET_ACCESS_KEY"
      valueFrom:
        secretKeyRef:
          name: "argocd-secret"
          key: "aws.secretAccessKey"

and add the following lines to an encrypted value file (create a dedicated IAM Access Key):

configs:
  secret:
    extra:
      aws.accessKeyId: <Access Key ID>
      aws.secretAccessKey: <Secret Access Key>

Using Sops with AGE key

Install the Age tool and run the below command to generate a new key:

age-keygen -o key.txt

In order to use Sops with a Age key, add the following lines to the chart value file:

      repoServer:
        env:
          - name: SOPS_AGE_KEY_FILE
            value: /app/config/age/keys.txt
        volumeMounts:
          - mountPath: /app/config/age/keys.txt
            name: sops-age
            subPath: keys.txt
        volumes:
          - name: sops-age
            secret:
              defaultMode: 420
              items:
              - key: keys.txt
                path: keys.txt
              secretName: argocd-secret

and add the following lines to add key.txt (Add data of sops age key file):

configs:
  secret:
    extra:
      keys.txt: |
       ...

Example application

An example application as well as an example Argo CD setup to deploy it can be found here.