fix: improve argocd secret handling

2025-03-24 18:54:56 +01:00 · 2025-03-24 18:54:56 +01:00 · 01832f2e41
commit 01832f2e41
parent 94dd2f395e
2 changed files with 22 additions and 9 deletions
--- a/admin/libhelm.sh
+++ b/admin/libhelm.sh
@ -44,10 +44,21 @@ function field_manager() {
 }
-function get_kubezero_secret() {
+function get_secret_val() {
-  export _key="$1"
+  local ns=$1
  local secret=$2
  local val=$(kubectl get secret -n $ns $secret -o yaml | yq ".data.\"$3\"")
-  kubectl get secrets -n kubezero kubezero-secrets -o yaml | yq '.data.[env(_key)]' | base64 -d -w0
+  if [ "$val" != "null" ]; then
    echo -n $val | base64 -d -w0
  else
    echo ""
  fi
 }
 function get_kubezero_secret() {
  get_secret_val kubezero kubezero-secrets "$1"
 }
@ -55,7 +66,9 @@ function set_kubezero_secret() {
  local key="$1"
  local val="$2"
-  kubectl patch secret -n kubezero kubezero-secrets --patch="{\"data\": { \"$key\": \"$(echo -n $val |base64 -w0)\" }}"
+  if [ -n "$val" ]; then
    kubectl patch secret -n kubezero kubezero-secrets --patch="{\"data\": { \"$key\": \"$(echo -n $val |base64 -w0)\" }}"
  fi
 }
@ -139,7 +152,7 @@ function delete_ns() {
 # Extract crds via helm calls
 function crds() {
-  helm secrets --evaluate-templates template $(chart_location $chart) -n $namespace --name-template $module $targetRevision --include-crds -f $WORKDIR/values.yaml $API_VERSIONS --kube-version $KUBE_VERSION $@ | python3 -c '
+  helm template $(chart_location $chart) -n $namespace --name-template $module $targetRevision --include-crds -f $WORKDIR/values.yaml $API_VERSIONS --kube-version $KUBE_VERSION $@ | python3 -c '
 #!/usr/bin/python3
 import yaml
 import sys
--- a/charts/kubezero-argo/hooks.d/pre-install.sh
+++ b/charts/kubezero-argo/hooks.d/pre-install.sh
@ -6,16 +6,16 @@ kubectl get application kubezero-git-sync -n argocd || \
 PW=$(get_kubezero_secret argo-cd.adminPassword)
 if [ -z "$PW" ]; then
  # Check for existing password in actual secret
-  NEW_PW=$(kubectl get secret argocd-secret -n argocd -o yaml | yq '.data."admin.password"')
+  NEW_PW=$(get_secret_val argocd argocd-secret "admin.password")
-  if [ "$NEW_PW" == "null" ];then
+  if [ -z "$NEW_PW" ];then
    ARGO_PWD=$(date +%s | sha256sum | base64 | head -c 12 ; echo)
-    NEW_PW=$(htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/' | base64 -w0)
+    NEW_PW=$(htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/')
    set_kubezero_secret argo-cd.adminPasswordClear $ARGO_PWD
  fi
-  set_kubezero_secret argo-cd.adminPassword $NEW_PW
+  set_kubezero_secret argo-cd.adminPassword "$NEW_PW"
 fi
 # GitSync privateKey