feat: integrate kubectl config script into repo-server wrapper
This commit is contained in:
parent
24a3d6ff95
commit
e87f9d1a7a
12
Dockerfile
12
Dockerfile
@ -16,7 +16,8 @@ ENV HELM_SECRETS_BACKEND="vals" \
|
|||||||
HELM_SECRETS_VALUES_ALLOW_SYMLINKS=false \
|
HELM_SECRETS_VALUES_ALLOW_SYMLINKS=false \
|
||||||
HELM_SECRETS_VALUES_ALLOW_ABSOLUTE_PATH=true \
|
HELM_SECRETS_VALUES_ALLOW_ABSOLUTE_PATH=true \
|
||||||
HELM_SECRETS_VALUES_ALLOW_PATH_TRAVERSAL=false \
|
HELM_SECRETS_VALUES_ALLOW_PATH_TRAVERSAL=false \
|
||||||
HELM_SECRETS_WRAPPER_ENABLED=true
|
HELM_SECRETS_WRAPPER_ENABLED=true \
|
||||||
|
KUBECONFIG=/tmp/kubectl.config
|
||||||
|
|
||||||
# Optionally, set default gpg key for sops files
|
# Optionally, set default gpg key for sops files
|
||||||
# ENV HELM_SECRETS_LOAD_GPG_KEYS=/path/to/gpg.key
|
# ENV HELM_SECRETS_LOAD_GPG_KEYS=/path/to/gpg.key
|
||||||
@ -37,12 +38,13 @@ RUN curl -fsSL https://github.com/helmfile/vals/releases/download/${VALS_VERSION
|
|||||||
| tar xzf - -C /usr/local/bin/ vals \
|
| tar xzf - -C /usr/local/bin/ vals \
|
||||||
&& chmod +x /usr/local/bin/vals
|
&& chmod +x /usr/local/bin/vals
|
||||||
|
|
||||||
RUN ln -sf "$(helm env HELM_PLUGINS)/helm-secrets/scripts/wrapper/helm.sh" /usr/local/sbin/helm
|
RUN ln -sf "$(helm env HELM_PLUGINS)/helm-secrets/scripts/wrapper/helm.sh" /usr/local/sbin/helm && \
|
||||||
|
rm -f /usr/local/bin/argocd-repo-server
|
||||||
|
|
||||||
# Add init script to convert SA token into kubeconfig for vals
|
# replace argocd-repo-server with wrapper to install kubectl config
|
||||||
ADD sa2kubeconfig.sh /usr/local/bin/sa2kubeconfig.sh
|
ADD argocd-repo-server-wrapper.sh /usr/local/bin/argocd-repo-server
|
||||||
|
|
||||||
USER ${ARGOCD_USER_ID}
|
USER ${ARGOCD_USER_ID}
|
||||||
|
|
||||||
RUN helm plugin install --version ${HELM_SECRETS_VERSION#v} https://github.com/jkroepke/helm-secrets
|
RUN helm plugin install --version ${HELM_SECRETS_VERSION#v} https://github.com/jkroepke/helm-secrets
|
||||||
RUN mkdir -p /home/argocd/.kube && sed -i -e 's/secrets/secrets --evaluate-templates/' "$(helm env HELM_PLUGINS)/helm-secrets/scripts/wrapper/helm.sh"
|
RUN sed -i -e 's/secrets/secrets --evaluate-templates/' "$(helm env HELM_PLUGINS)/helm-secrets/scripts/wrapper/helm.sh"
|
||||||
|
|||||||
@ -5,7 +5,7 @@ Customized ArgoCD image for KubeZero
|
|||||||
## Changes
|
## Changes
|
||||||
- added sops, helm-secrets and vals binaries
|
- added sops, helm-secrets and vals binaries
|
||||||
- configured helm-secrets to use vals backend
|
- configured helm-secrets to use vals backend
|
||||||
- init script to allow vals to access the local cluster Kube API using Argo's SA account to eg. lookup values from a central secret
|
- argocd-repo-server wrapper script to allow vals to access the local cluster Kube API using Argo's SA account to eg. lookup values from a central secret
|
||||||
|
|
||||||
## Credits:
|
## Credits:
|
||||||
- https://github.com/jkroepke/helm-secrets/wiki/ArgoCD-Integration#option-1-custom-docker-image
|
- https://github.com/jkroepke/helm-secrets/wiki/ArgoCD-Integration#option-1-custom-docker-image
|
||||||
|
|||||||
@ -1,6 +1,6 @@
|
|||||||
#!/bin/sh -e
|
#!/bin/sh
|
||||||
|
|
||||||
KUBECONFIG=$1
|
KUBECONFIG=/tmp/kubectl.config
|
||||||
SA_NAME=argo-argocd-repo-server
|
SA_NAME=argo-argocd-repo-server
|
||||||
|
|
||||||
CA64=$(cat /run/secrets/kubernetes.io/serviceaccount/ca.crt | base64 -w0)
|
CA64=$(cat /run/secrets/kubernetes.io/serviceaccount/ca.crt | base64 -w0)
|
||||||
@ -27,3 +27,5 @@ current-context: ${SA_NAME}_context
|
|||||||
EOF
|
EOF
|
||||||
|
|
||||||
chmod 600 $KUBECONFIG
|
chmod 600 $KUBECONFIG
|
||||||
|
|
||||||
|
ARGOCD_BINARY_NAME=argocd-repo-server /usr/local/bin/argocd $@
|
||||||
Loading…
x
Reference in New Issue
Block a user