Unable to add helm.valuesFileSchemes field in argocd-cm Config Map #379
Comments
|
I'm not aware of the RedHat Openshift GitOps thing, but it seems like the operator may reverts the config. In case, RedHat uses the offical ArgoCD Operator in background, than I could found this argoproj-labs/argocd-operator#583 If you could run If the config is accepted, then the argocd-cm should have the value. If not, pretty sure you ask the RedHat support how to define custom ArgoCD settings. |
|
The How would we use If there is a limitation on the ArgoCD side, is there an alternative way to achieve the same? We only need to encrypt the Thanks!! |
Good catch, in short: Multi Source Applications and helm secrets are not compatible. See: argoproj/argo-cd#11866 There is an hack documented to add some compatibility with multi-source apps, however I can not really recommend it.
Yes. I would recommend a local umbrella chart which has an dependency against the Splunk chart. and add a secrets.yaml next to the values.yaml |
When I pull the whole Splunk chart locally and commit it to git, it seems to work fine however, when I try the umbrella chart approach (which would be ideal) it throws an error:
This is my umbrella Chart.yaml: apiVersion: v2
name: splunk-otel-collector
description: Subchart for splunk-otel-collector
type: application
version: 0.1.0
dependencies:
- name: splunk-otel-collector
version: 0.78.0
repository: https://signalfx.github.io/splunk-otel-collector-chartThe values.enc.yaml file resides in the same folder as the Chart.yaml. As a side question, is it possible to use a non-encrypted values.yaml file + another encrypted file that contains the fileParameters:
- name: podAnnotations.fromFile
path: 'secrets+gpg-import-kubernetes://helm-secrets-private-keys#key.asc?./files/file.properties'Would it look like this for my use case? fileParameters:
- name: accessToken.fromFile
path: 'secrets+age-import:///helm-secrets-private-keys#key.txt?accessToken.enc.yaml'Thanks so much!! |
If you use an umbrella chart, mention that you have to shift you values. See https://helm.sh/docs/chart_template_guide/subcharts_and_globals/#adding-values-and-a-template-to-the-subchart |
|
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
|
Hello there, Found in trouble for the same reason. I use a workaround that is enough my use case now. I just set the SOPS_AGE_KEY environment variable and use the init container as recommended in the ArgoCD Integration guide and just not use secrets schemes. ArgoCD is satisfy by having the reference variable at the beginning of the string and everything is fine. Doing this limits you to only 1 key to decrypt your files but as the wrapper use 'helm secrets' plugin in any case, it renders the manifests correctly. Here my argocd-repo-server patch I use: apiVersion: apps/v1
kind: Deployment
metadata:
name: argocd-repo-server
spec:
template:
spec:
volumes:
- name: custom-tools
emptyDir: {}
initContainers:
- name: helm-secret
image: alpine:latest
imagePullPolicy: IfNotPresent
env:
- name: KUBECTL_VERSION
value: "1.28.3"
- name: SOPS_VERSION
value: "3.8.1"
- name: HELM_SECRETS_VERSION
value: "4.5.1"
command: [sh, -ec]
args:
- |
mkdir -p /custom-tools/helm-plugins
wget -qO- https://github.com/jkroepke/helm-secrets/releases/download/v${HELM_SECRETS_VERSION}/helm-secrets.tar.gz | tar -C /custom-tools/helm-plugins -xzf-;
wget -qO /custom-tools/sops https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux.amd64
wget -qO /custom-tools/curl https://github.com/moparisthebest/static-curl/releases/latest/download/curl-amd64
wget -qO /custom-tools/kubectl https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl
cp /custom-tools/helm-plugins/helm-secrets/scripts/wrapper/helm.sh /custom-tools/helm
chmod +x /custom-tools/*
volumeMounts:
- mountPath: /custom-tools
name: custom-tools
- name: install-ksops
image: viaductoss/ksops:v4.3.0
command: ["/bin/sh", "-c"]
args:
- echo "Installing KSOPS...";
mv ksops /custom-tools/;
mv kustomize /custom-tools/;
echo "Done.";
volumeMounts:
- mountPath: /custom-tools
name: custom-tools
containers:
- name: argocd-repo-server
volumeMounts:
- mountPath: /custom-tools
name: custom-tools
- mountPath: /usr/local/sbin/helm
name: custom-tools
subPath: helm
- mountPath: /usr/local/bin/kustomize
name: custom-tools
subPath: kustomize
- mountPath: /usr/local/bin/ksops
name: custom-tools
subPath: ksops
env:
- name: HELM_PLUGINS
value: /custom-tools/helm-plugins/
- name: HELM_SECRETS_CURL_PATH
value: /custom-tools/curl
- name: HELM_SECRETS_SOPS_PATH
value: /custom-tools/sops
- name: HELM_SECRETS_KUBECTL_PATH
value: /custom-tools/kubectl
- name: HELM_SECRETS_BACKEND
value: sops
- name: HELM_SECRETS_VALUES_ALLOW_SYMLINKS
value: "false"
- name: HELM_SECRETS_VALUES_ALLOW_ABSOLUTE_PATH
value: "true"
- name: HELM_SECRETS_VALUES_ALLOW_PATH_TRAVERSAL
value: "false"
- name: HELM_SECRETS_WRAPPER_ENABLED
value: "true"
- name: HELM_SECRETS_DECRYPT_SECRETS_IN_TMP_DIR
value: "true"
- name: HELM_SECRETS_HELM_PATH
value: /usr/local/bin/helm
- name: SOPS_AGE_KEY
valueFrom:
secretKeyRef:
name: argocd-age-credentials
key: age_secret_key |
Current Behavior
Hi Team,
We are trying to install helm using values.yaml which we have encrypted using sops and will be referencing it when we create the Application following the below link.
https://github.com/jkroepke/helm-secrets/wiki/ArgoCD-Integration
In this process we are unable to add the helm.valuesFileSchemes field in argocd-cm Config Map, where after adding it the change is not reflecting or the values get reverted back when we reload it after saving.
Also we are using the RedHat OpenShift GitOps operator, so could you please let us know if it is possible to add the helm.valuesFileSchemes field in it. If so, where can we add it in the operator.
Thanks!!
Expected Behavior
No response
Steps To Reproduce
No response
Environment
Anything else?
No response
The text was updated successfully, but these errors were encountered: