Feat: Argo integrate helm-secrets and vals

charts/kubezero-argo/README.md

@@ -1,6 +1,6 @@
 # kubezero-argo
 
-![Version: 0.2.1](https://img.shields.io/badge/Version-0.2.1-informational?style=flat-square)
+![Version: 0.2.2](https://img.shields.io/badge/Version-0.2.2-informational?style=flat-square)
 
 KubeZero Argo - Events, Workflow, CD
 
@@ -18,23 +18,22 @@ Kubernetes: `>= 1.26.0`
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://argoproj.github.io/argo-helm | argo-cd | 6.7.10 |
+| https://argoproj.github.io/argo-helm | argo-cd | 6.9.2 |
 | https://argoproj.github.io/argo-helm | argo-events | 2.4.4 |
 | https://argoproj.github.io/argo-helm | argocd-apps | 2.0.0 |
-| https://argoproj.github.io/argo-helm | argocd-image-updater | 0.9.6 |
+| https://argoproj.github.io/argo-helm | argocd-image-updater | 0.10.0 |
 | https://cdn.zero-downtime.net/charts/ | kubezero-lib | >= 0.1.6 |
 
 ## Values
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| argo-cd.applicationSet.enabled | bool | `false` |  |
 | argo-cd.configs.cm."resource.customizations" | string | `"cert-manager.io/Certificate:\n  # Lua script for customizing the health status assessment\n  health.lua: |\n    hs = {}\n    if obj.status ~= nil then\n      if obj.status.conditions ~= nil then\n        for i, condition in ipairs(obj.status.conditions) do\n          if condition.type == \"Ready\" and condition.status == \"False\" then\n            hs.status = \"Degraded\"\n            hs.message = condition.message\n            return hs\n          end\n          if condition.type == \"Ready\" and condition.status == \"True\" then\n            hs.status = \"Healthy\"\n            hs.message = condition.message\n            return hs\n          end\n        end\n      end\n    end\n    hs.status = \"Progressing\"\n    hs.message = \"Waiting for certificate\"\n    return hs\n"` |  |
 | argo-cd.configs.cm."timeout.reconciliation" | string | `"300s"` |  |
-| argo-cd.configs.cm."ui.bannercontent" | string | `"KubeZero v1.27 - Release notes"` |  |
+| argo-cd.configs.cm."ui.bannercontent" | string | `"KubeZero v1.28 - Release notes"` |  |
 | argo-cd.configs.cm."ui.bannerpermanent" | string | `"true"` |  |
 | argo-cd.configs.cm."ui.bannerposition" | string | `"bottom"` |  |
-| argo-cd.configs.cm."ui.bannerurl" | string | `"https://kubezero.com/releases/v1.27"` |  |
+| argo-cd.configs.cm."ui.bannerurl" | string | `"https://kubezero.com/releases/v1.28"` |  |
 | argo-cd.configs.cm.url | string | `"https://argocd.example.com"` |  |
 | argo-cd.configs.params."controller.operation.processors" | string | `"5"` |  |
 | argo-cd.configs.params."controller.status.processors" | string | `"10"` |  |
@@ -50,13 +49,37 @@ Kubernetes: `>= 1.26.0`
 | argo-cd.controller.resources.requests.memory | string | `"512Mi"` |  |
 | argo-cd.dex.enabled | bool | `false` |  |
 | argo-cd.enabled | bool | `false` |  |
+| argo-cd.global.image.repository | string | `"public.ecr.aws/zero-downtime/zdt-argocd"` |  |
+| argo-cd.global.image.tag | string | `"v2.11.0"` |  |
 | argo-cd.global.logging.format | string | `"json"` |  |
 | argo-cd.istio.enabled | bool | `false` |  |
 | argo-cd.istio.gateway | string | `"istio-ingress/ingressgateway"` |  |
 | argo-cd.istio.ipBlocks | list | `[]` |  |
 | argo-cd.notifications.enabled | bool | `false` |  |
+| argo-cd.repoServer.clusterRoleRules.enabled | bool | `true` |  |
+| argo-cd.repoServer.clusterRoleRules.rules[0].apiGroups[0] | string | `""` |  |
+| argo-cd.repoServer.clusterRoleRules.rules[0].resources[0] | string | `"secrets"` |  |
+| argo-cd.repoServer.clusterRoleRules.rules[0].verbs[0] | string | `"get"` |  |
+| argo-cd.repoServer.clusterRoleRules.rules[0].verbs[1] | string | `"watch"` |  |
+| argo-cd.repoServer.clusterRoleRules.rules[0].verbs[2] | string | `"list"` |  |
+| argo-cd.repoServer.initContainers[0].command[0] | string | `"/usr/local/bin/sa2kubeconfig.sh"` |  |
+| argo-cd.repoServer.initContainers[0].command[1] | string | `"/home/argocd/.kube/config"` |  |
+| argo-cd.repoServer.initContainers[0].image | string | `"public.ecr.aws/zero-downtime/zdt-argocd:v2.11.0"` |  |
+| argo-cd.repoServer.initContainers[0].imagePullPolicy | string | `"IfNotPresent"` |  |
+| argo-cd.repoServer.initContainers[0].name | string | `"create-kubeconfig"` |  |
+| argo-cd.repoServer.initContainers[0].securityContext.allowPrivilegeEscalation | bool | `false` |  |
+| argo-cd.repoServer.initContainers[0].securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| argo-cd.repoServer.initContainers[0].securityContext.readOnlyRootFilesystem | bool | `true` |  |
+| argo-cd.repoServer.initContainers[0].securityContext.runAsNonRoot | bool | `true` |  |
+| argo-cd.repoServer.initContainers[0].securityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
+| argo-cd.repoServer.initContainers[0].volumeMounts[0].mountPath | string | `"/home/argocd/.kube"` |  |
+| argo-cd.repoServer.initContainers[0].volumeMounts[0].name | string | `"kubeconfigs"` |  |
 | argo-cd.repoServer.metrics.enabled | bool | `false` |  |
 | argo-cd.repoServer.metrics.serviceMonitor.enabled | bool | `true` |  |
+| argo-cd.repoServer.volumeMounts[0].mountPath | string | `"/home/argocd/.kube"` |  |
+| argo-cd.repoServer.volumeMounts[0].name | string | `"kubeconfigs"` |  |
+| argo-cd.repoServer.volumes[0].emptyDir | object | `{}` |  |
+| argo-cd.repoServer.volumes[0].name | string | `"kubeconfigs"` |  |
 | argo-cd.server.metrics.enabled | bool | `false` |  |
 | argo-cd.server.metrics.serviceMonitor.enabled | bool | `true` |  |
 | argo-cd.server.service.servicePortHttpsName | string | `"grpc"` |  |
@@ -87,6 +110,7 @@ Kubernetes: `>= 1.26.0`
 | argocd-image-updater.sshConfig.config | string | `"Host *\n  PubkeyAcceptedAlgorithms +ssh-rsa\n  HostkeyAlgorithms +ssh-rsa\n"` |  |
 
 ## Resources
+- https://github.com/argoproj/argoproj/blob/main/docs/end_user_threat_model.pdf
 - https://argoproj.github.io/argo-cd/operator-manual/metrics/
 - https://raw.githubusercontent.com/argoproj/argo-cd/master/examples/dashboard.json
 

charts/kubezero-argo/README.md.gotmpl

@@ -16,6 +16,7 @@
 {{ template "chart.valuesSection" . }}
 
 ## Resources
+- https://github.com/argoproj/argoproj/blob/main/docs/end_user_threat_model.pdf
 - https://argoproj.github.io/argo-cd/operator-manual/metrics/
 - https://raw.githubusercontent.com/argoproj/argo-cd/master/examples/dashboard.json
 

charts/kubezero-argo/values.yaml

@@ -36,19 +36,16 @@ argocd-apps:
   projects: {}
   applications: {}
 
+
 argo-cd:
   enabled: false
-  #configs:
-  #  secret:
-  #    `htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/'`
-  #    argocdServerAdminPassword: "$2a$10$ivKzaXVxMqdeDSfS3nqi1Od3iDbnL7oXrixzDfZFRHlXHnAG6LydG"
-  #    argocdServerAdminPasswordMtime: "2020-04-24T15:33:09BST"
 
   global:
     logging:
       format: json
-  # image:
+    image:
-  #   tag: v2.1.6
+      repository: public.ecr.aws/zero-downtime/zdt-argocd
+      tag: v2.11.0
 
   configs:
     styles: |
@@ -94,6 +91,10 @@ argo-cd:
 
     secret:
       createSecret: false
+      # `htpasswd -nbBC 10 "" $ARGO_PWD | tr -d ':\n' | sed 's/$2y/$2a/'`
+      # argocdServerAdminPassword: "$2a$10$ivKzaXVxMqdeDSfS3nqi1Od3iDbnL7oXrixzDfZFRHlXHnAG6LydG"
+      # argocdServerAdminPassword: "ref+file://secrets.yaml#/test"
+      # argocdServerAdminPasswordMtime: "2020-04-24T15:33:09BST"
 
     ssh:
       extraHosts: "git.zero-downtime.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC8YdJ4YcOK7A0K7qOWsRjCS+wHTStXRcwBe7gjG43HPSNijiCKoGf/c+tfNsRhyouawg7Law6M6ahmS/jKWBpznRIM+OdOFVSuhnK/nr6h6wG3/ZfdLicyAPvx1/STGY/Fc6/zXA88i/9PV+g84gSVmhf3fGY92wokiASiu9DU4T9dT1gIkdyOX6fbMi1/mMKLSrHnAQcjyasYDvw9ISCJ95EoSwbj7O4c+7jo9fxYvdCfZZZAEZGozTRLAAO0AnjVcRah7bZV/jfHJuhOipV/TB7UVAhlVv1dfGV7hoTp9UKtKZFJF4cjIrSGxqQA/mdhSdLgkepK7yc4Jp2xGnaarhY29DfqsQqop+ugFpTbj7Xy5Rco07mXc6XssbAZhI1xtCOX20N4PufBuYippCK5AE6AiAyVtJmvfGQk4HP+TjOyhFo7PZm3wc9Hym7IBBVC0Sl30K8ddufkAgHwNGvvu1ZmD9ZWaMOXJDHBCZGMMr16QREZwVtZTwMEQalc7/yqmuqMhmcJIfs/GA2Lt91y+pq9C8XyeUL0VFPch0vkcLSRe3ghMZpRFJ/ht307xPcLzgTJqN6oQtNNDzSQglSEjwhge2K4GyWcIh+oGsWxWz5dHyk1iJmw90Y976BZIl/mYVgbTtZAJ81oGe/0k5rAe+LDL+Yq6tG28QFOg0QmiQ=="
@@ -125,6 +126,41 @@ argo-cd:
       serviceMonitor:
         enabled: true
 
+    volumes:
+      - name: kubeconfigs
+        emptyDir: {}
+    volumeMounts:
+    - mountPath: /home/argocd/.kube
+      name: kubeconfigs
+
+    # Allow vals to read internal secrets across all namespaces
+    clusterRoleRules:
+      enabled: true
+      rules:
+        - apiGroups: [""]
+          resources: ["secrets"]
+          verbs: ["get", "watch", "list"]
+
+    initContainers:
+      - name: create-kubeconfig
+        image: public.ecr.aws/zero-downtime/zdt-argocd:v2.11.0
+        imagePullPolicy: IfNotPresent
+        command:
+          - /usr/local/bin/sa2kubeconfig.sh
+          - /home/argocd/.kube/config
+        volumeMounts:
+        - mountPath: /home/argocd/.kube
+          name: kubeconfigs
+        securityContext:
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+          capabilities:
+            drop:
+            - ALL
+
   server:
     # Rename former https port to grpc, works with istio + insecure
     service:
@@ -141,9 +177,6 @@ argo-cd:
   dex:
     enabled: false
 
-  applicationSet:
-    enabled: false
-
   notifications:
     enabled: false