From 01832f2e4158727a748c81a5d8e1fc18c87a6325 Mon Sep 17 00:00:00 2001 From: Stefan Reimer Date: Mon, 24 Mar 2025 18:54:56 +0100 Subject: [PATCH] fix: improve argocd secret handling --- admin/libhelm.sh | 23 ++++++++++++++++----- charts/kubezero-argo/hooks.d/pre-install.sh | 8 +++---- 2 files changed, 22 insertions(+), 9 deletions(-) mode change 100644 => 100755 charts/kubezero-argo/hooks.d/pre-install.sh diff --git a/admin/libhelm.sh b/admin/libhelm.sh index 41c33223..68d1c4bc 100644 --- a/admin/libhelm.sh +++ b/admin/libhelm.sh @@ -44,10 +44,21 @@ function field_manager() { } -function get_kubezero_secret() { - export _key="$1" +function get_secret_val() { + local ns=$1 + local secret=$2 + local val=$(kubectl get secret -n $ns $secret -o yaml | yq ".data.\"$3\"") - kubectl get secrets -n kubezero kubezero-secrets -o yaml | yq '.data.[env(_key)]' | base64 -d -w0 + if [ "$val" != "null" ]; then + echo -n $val | base64 -d -w0 + else + echo "" + fi +} + + +function get_kubezero_secret() { + get_secret_val kubezero kubezero-secrets "$1" } @@ -55,7 +66,9 @@ function set_kubezero_secret() { local key="$1" local val="$2" - kubectl patch secret -n kubezero kubezero-secrets --patch="{\"data\": { \"$key\": \"$(echo -n $val |base64 -w0)\" }}" + if [ -n "$val" ]; then + kubectl patch secret -n kubezero kubezero-secrets --patch="{\"data\": { \"$key\": \"$(echo -n $val |base64 -w0)\" }}" + fi } @@ -139,7 +152,7 @@ function delete_ns() { # Extract crds via helm calls function crds() { - helm secrets --evaluate-templates template $(chart_location $chart) -n $namespace --name-template $module $targetRevision --include-crds -f $WORKDIR/values.yaml $API_VERSIONS --kube-version $KUBE_VERSION $@ | python3 -c ' + helm template $(chart_location $chart) -n $namespace --name-template $module $targetRevision --include-crds -f $WORKDIR/values.yaml $API_VERSIONS --kube-version $KUBE_VERSION $@ | python3 -c ' #!/usr/bin/python3 import yaml import sys diff --git a/charts/kubezero-argo/hooks.d/pre-install.sh b/charts/kubezero-argo/hooks.d/pre-install.sh old mode 100644 new mode 100755 index a2ca71ca..d1775266 --- a/charts/kubezero-argo/hooks.d/pre-install.sh +++ b/charts/kubezero-argo/hooks.d/pre-install.sh @@ -6,16 +6,16 @@ kubectl get application kubezero-git-sync -n argocd || \ PW=$(get_kubezero_secret argo-cd.adminPassword) if [ -z "$PW" ]; then # Check for existing password in actual secret - NEW_PW=$(kubectl get secret argocd-secret -n argocd -o yaml | yq '.data."admin.password"') + NEW_PW=$(get_secret_val argocd argocd-secret "admin.password") - if [ "$NEW_PW" == "null" ];then + if [ -z "$NEW_PW" ];then ARGO_PWD=$(date +%s | sha256sum | base64 | head -c 12 ; echo) - NEW_PW=$(htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/' | base64 -w0) + NEW_PW=$(htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/') set_kubezero_secret argo-cd.adminPasswordClear $ARGO_PWD fi - set_kubezero_secret argo-cd.adminPassword $NEW_PW + set_kubezero_secret argo-cd.adminPassword "$NEW_PW" fi # GitSync privateKey