feat: introduce vals cmp plugin for argoCD

2025-04-10 22:50:08 +00:00 · 2025-04-10 22:50:08 +00:00 · 88aa742dfd
commit 88aa742dfd
parent b48bef599c
7 changed files with 121 additions and 103 deletions
--- a/charts/kubezero-argo/hooks.d/pre-install.sh
+++ b/charts/kubezero-argo/hooks.d/pre-install.sh
@ -18,12 +18,6 @@ if [ -z "$PW" ]; then
  set_kubezero_secret argo-cd.adminPassword "$NEW_PW"
 fi

-# GitSync privateKey
-GITKEY=$(get_kubezero_secret argo-cd.kubezero.sshPrivateKey)
-if [ -z "$GITKEY" ]; then
-  set_kubezero_secret argo-cd.kubezero.sshPrivateKey "Insert ssh Private Key from your git server"
-fi
-
 # Redis secret
 kubectl get secret argocd-redis -n argocd || kubectl create secret generic argocd-redis -n argocd \
    --from-literal=auth=$(date +%s | sha256sum | base64 | head -c 16 ; echo)
--- a/charts/kubezero-argo/templates/argo-cd/kubezero-git-sync-secret.yaml
+++ b/charts/kubezero-argo/templates/argo-cd/kubezero-git-sync-secret.yaml
@ -1,4 +1,4 @@
-{{- if and (index .Values "argo-cd" "kubezero" "sshPrivateKey") (index .Values "argo-cd" "kubezero" "repoUrl") }}
+{{- if index .Values "argo-cd" "kubezero" "repoUrl" }}
 apiVersion: v1
 kind: Secret
 metadata:
@ -12,5 +12,10 @@ stringData:
  name: kubezero-git-sync
  type: git
  url: {{ index .Values "argo-cd" "kubezero" "repoUrl" }}
+  {{- if hasPrefix "https" (index .Values "argo-cd" "kubezero" "repoUrl") }}
+  username: {{ index .Values "argo-cd" "kubezero" "username" }}
+  password: {{ index .Values "argo-cd" "kubezero" "password" }}
+  {{- else }}
  sshPrivateKey: {{ index .Values "argo-cd" "kubezero" "sshPrivateKey" }}
+  {{- end }}
 {{- end }}
--- a/charts/kubezero-argo/values.yaml
+++ b/charts/kubezero-argo/values.yaml
@ -125,6 +125,34 @@ argo-cd:
          resources: ["secrets"]
          verbs: ["get", "watch", "list"]

+    # cmp vals plugin
+    # @ignored
+    extraContainers:
+      - name: cmp-vals
+        image: '{{ default .Values.global.image.repository .Values.repoServer.image.repository }}:{{ default (include "argo-cd.defaultTag" .) .Values.repoServer.image.tag }}'
+        imagePullPolicy: '{{ default .Values.global.image.imagePullPolicy .Values.repoServer.image.imagePullPolicy }}'
+        command: ["/var/run/argocd/argocd-cmp-server"]
+        volumeMounts:
+          - mountPath: /var/run/argocd
+            name: var-files
+          - mountPath: /home/argocd/cmp-server/plugins
+            name: plugins
+          - mountPath: /tmp
+            name: cmp-tmp
+        securityContext:
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          runAsUser: 999
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+          capabilities:
+            drop:
+            - ALL
+    volumes:
+      - name: cmp-tmp
+        emptyDir: {}
+
  server:
    # Rename former https port to grpc, works with istio + insecure
    service:
@ -164,6 +192,8 @@ argo-cd:
    path: "/"
    targetRevision: HEAD
    sshPrivateKey: secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.sshPrivateKey
+    username: secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.username
+    password: secretref+k8s://v1/Secret/kubezero/kubezero-secrets/argo-cd.kubezero.password

 argocd-image-updater:
  enabled: false
--- a/charts/kubezero/templates/_aws.tpl
+++ b/charts/kubezero/templates/_aws.tpl
@ -0,0 +1,30 @@
+{{- define "aws-iam-env" -}}
+- name: AWS_ROLE_ARN
+  value: "arn:aws:iam::{{ $.Values.global.aws.accountId }}:role/{{ $.Values.global.aws.region }}.{{ $.Values.global.clusterName }}.{{ .roleName }}"
+- name: AWS_WEB_IDENTITY_TOKEN_FILE
+  value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
+- name: AWS_STS_REGIONAL_ENDPOINTS
+  value: "regional"
+- name: METADATA_TRIES
+  value: "0"
+- name: AWS_REGION
+  value: {{ $.Values.global.aws.region }}
+{{- end }}
+
+
+{{- define "aws-iam-volumes" -}}
+- name: aws-token
+  projected:
+    sources:
+    - serviceAccountToken:
+        path: token
+        expirationSeconds: 86400
+        audience: "sts.amazonaws.com"
+{{- end }}
+
+
+{{- define "aws-iam-volumemounts" -}}
+- name: aws-token
+  mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
+  readOnly: true
+{{- end }}
--- a/charts/kubezero/templates/addons.yaml
+++ b/charts/kubezero/templates/addons.yaml
@ -42,28 +42,11 @@ external-dns:
    - "--aws-zone-type=public"
    - "--aws-zones-cache-duration=1h"
  env:
-    - name: AWS_REGION
-      value: {{ .Values.global.aws.region }}
-    - name: AWS_ROLE_ARN
-      value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.externalDNS"
-    - name: AWS_WEB_IDENTITY_TOKEN_FILE
-      value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
-    - name: AWS_STS_REGIONAL_ENDPOINTS
-      value: "regional"
-    - name: METADATA_TRIES
-      value: "0"
+    {{- include "aws-iam-env" (merge (dict "roleName" "externalDNS") .) | nindent 4 }}
  extraVolumes:
-  - name: aws-token
-    projected:
-      sources:
-      - serviceAccountToken:
-          path: token
-          expirationSeconds: 86400
-          audience: "sts.amazonaws.com"
+    {{- include "aws-iam-volumes" . | nindent 4 }}
  extraVolumeMounts:
-  - name: aws-token
-    mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
-    readOnly: true
+    {{- include "aws-iam-volumemounts" . | nindent 4 }}
  {{- end }}

 cluster-autoscaler:
@ -98,17 +81,9 @@ cluster-autoscaler:
    AWS_WEB_IDENTITY_TOKEN_FILE: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
    AWS_STS_REGIONAL_ENDPOINTS: "regional"
  extraVolumes:
-  - name: aws-token
-    projected:
-      sources:
-      - serviceAccountToken:
-          path: token
-          expirationSeconds: 86400
-          audience: "sts.amazonaws.com"
+    {{- include "aws-iam-volumes" . | nindent 4 }}
  extraVolumeMounts:
-  - name: aws-token
-    mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
-    readOnly: true
+    {{- include "aws-iam-volumemounts" . | nindent 4 }}
  {{- end }}

 {{- with .Values.addons.fuseDevicePlugin }}
@ -155,14 +130,7 @@ aws-node-termination-handler:
  queueURL: "https://sqs.{{ .Values.global.aws.region }}.amazonaws.com/{{ .Values.global.aws.accountId }}/{{ .Values.global.clusterName }}_Nth"
  managedTag: "zdt:kubezero:nth:{{ .Values.global.clusterName }}"
  extraEnv:
-    - name: AWS_ROLE_ARN
-      value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.awsNth"
-    - name: AWS_WEB_IDENTITY_TOKEN_FILE
-      value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
-    - name: AWS_STS_REGIONAL_ENDPOINTS
-      value: "regional"
-    - name: METADATA_TRIES
-      value: "0"
+    {{- include "aws-iam-env" (merge (dict "roleName" "awsNth") .) | nindent 4 }}

 aws-eks-asg-rolling-update-handler:
  enabled: {{ default "true" (index .Values "addons" "aws-eks-asg-rolling-update-handler" "enabled") }}
@ -172,10 +140,9 @@ aws-eks-asg-rolling-update-handler:
  {{- end }}

  environmentVars:
+    {{- include "aws-iam-env" (merge (dict "roleName" "awsRuh") .) | nindent 4 }}
    - name: CLUSTER_NAME
      value: {{ .Values.global.clusterName }}
-    - name: AWS_REGION
-      value: {{ .Values.global.aws.region }}
    - name: EXECUTION_INTERVAL
      value: "60"
    - name: METRICS
@ -184,12 +151,6 @@ aws-eks-asg-rolling-update-handler:
      value: "true"
    - name: SLOW_MODE
      value: "true"
-    - name: AWS_ROLE_ARN
-      value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.awsRuh"
-    - name: AWS_WEB_IDENTITY_TOKEN_FILE
-      value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
-    - name: AWS_STS_REGIONAL_ENDPOINTS
-      value: "regional"

 {{- with (index .Values "addons" "neuron-helm-chart") }}
 neuron-helm-chart:
--- a/charts/kubezero/templates/argo.yaml
+++ b/charts/kubezero/templates/argo.yaml
@ -23,38 +23,51 @@ argo-cd:
    metrics:
      enabled: {{ .Values.metrics.enabled }}
  repoServer:
-    metrics:
-      enabled: {{ .Values.metrics.enabled }}
-
-    {{- if eq .Values.global.platform "aws" }}
-    env:
-      - name: AWS_ROLE_ARN
-        value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.argocd-repo-server"
-      - name: AWS_WEB_IDENTITY_TOKEN_FILE
-        value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
-      - name: AWS_STS_REGIONAL_ENDPOINTS
-        value: "regional"
-      - name: METADATA_TRIES
-        value: "0"
-      - name: AWS_REGION
-        value: {{ .Values.global.aws.region }}
-    volumes:
-    - name: aws-token
-      projected:
-        sources:
-        - serviceAccountToken:
-            path: token
-            expirationSeconds: 86400
-            audience: "sts.amazonaws.com"
-    volumeMounts:
-    - name: aws-token
-      mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
-      readOnly: true
-    {{- end }}
-
    {{- with index .Values "argo" "argo-cd" "repoServer" }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
+
+    metrics:
+      enabled: {{ .Values.metrics.enabled }}
+
+    volumes:
+      - name: cmp-tmp
+        emptyDir: {}
+    {{- if eq .Values.global.platform "aws" }}
+      {{- include "aws-iam-volumes" . | nindent 6 }}
+
+    env:
+      {{- include "aws-iam-env" (merge (dict "roleName" "argocd-repo-server") .) | nindent 6 }}
+    volumeMounts:
+      {{- include "aws-iam-volumemounts" . | nindent 6 }}
+
+    extraContainers:
+      - name: cmp-vals
+        image: '{{ "{{" }} default .Values.global.image.repository .Values.repoServer.image.repository {{ "}}" }}:{{ "{{" }} default (include "argo-cd.defaultTag" .) .Values.repoServer.image.tag {{ "}}" }}'
+        imagePullPolicy: '{{ "{{" }} default .Values.global.image.imagePullPolicy .Values.repoServer.image.imagePullPolicy {{ "}}" }}'
+        command: ["/var/run/argocd/argocd-cmp-server"]
+        env:
+          {{- include "aws-iam-env" (merge (dict "roleName" "argocd-repo-server") .) | nindent 10 }}
+        volumeMounts:
+          - mountPath: /var/run/argocd
+            name: var-files
+          - mountPath: /home/argocd/cmp-server/plugins
+            name: plugins
+          - mountPath: /tmp
+            name: cmp-tmp
+          {{- include "aws-iam-volumemounts" . | nindent 10 }}
+        securityContext:
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          runAsUser: 999
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+          capabilities:
+            drop:
+            - ALL
+    {{- end }}
+
  server:
    metrics:
      enabled: {{ .Values.metrics.enabled }}
@ -80,28 +93,11 @@ argocd-image-updater:

  {{- if eq .Values.global.platform "aws" }}
  extraEnv:
-    - name: AWS_ROLE_ARN
-      value: "arn:aws:iam::{{ .Values.global.aws.accountId }}:role/{{ .Values.global.aws.region }}.{{ .Values.global.clusterName }}.argocd-image-updater"
-    - name: AWS_WEB_IDENTITY_TOKEN_FILE
-      value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
-    - name: AWS_STS_REGIONAL_ENDPOINTS
-      value: "regional"
-    - name: METADATA_TRIES
-      value: "0"
-    - name: AWS_REGION
-      value: {{ .Values.global.aws.region }}
+    {{- include "aws-iam-env" (merge (dict "roleName" "argocd-image-updater") .) | nindent 4 }}
  volumes:
-  - name: aws-token
-    projected:
-      sources:
-      - serviceAccountToken:
-          path: token
-          expirationSeconds: 86400
-          audience: "sts.amazonaws.com"
+    {{- include "aws-iam-volumes" . | nindent 4 }}
  volumeMounts:
-  - name: aws-token
-    mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
-    readOnly: true
+    {{- include "aws-iam-volumemounts" . | nindent 4 }}
  {{- end }}

  metrics:
--- a/charts/kubezero/values.yaml
+++ b/charts/kubezero/values.yaml
@ -6,7 +6,9 @@ global:

  highAvailable: false

-  aws: {}
+  aws:
+    accountId: "123456789012"
+    region: the-moon
  gcp: {}

 addons: