feat: Version bump Argo-CD and all tools

06fcff5 feat: improve image cleanup to incl. all tags and repositories
47b4da4 feat: add suport for trivyignore file

git-subtree-dir: .ci
git-subtree-split: 06fcff501dd9dbff3a97a95176f6d7a8590289a7

.ci/podman.mk

@@ -46,7 +46,7 @@ test:: ## test built artificats
 
 scan: ## Scan image using trivy
 	echo "Scanning $(IMAGE):$(TAG)-$(_ARCH) using Trivy $(TRIVY_REMOTE)"
-	trivy image $(TRIVY_OPTS) --quiet --no-progress localhost/$(IMAGE):$(TAG)-$(_ARCH)
+	trivy image $(TRIVY_OPTS) --quiet --no-progress --ignorefile ./.trivyignore.yaml localhost/$(IMAGE):$(TAG)-$(_ARCH)
 
 # first tag and push all actual images
 # create new manifest for each tag and add all available TAG-ARCH before pushing
@@ -73,8 +73,10 @@ rm-remote-untagged: ## delete all remote untagged and in-dev images, keep 10 tag
 clean:: ## clean up source folder
 
 rm-image:
-	test -z "$$(podman image ls -q $(IMAGE):$(TAG)-$(_ARCH))" || podman image rm -f $(IMAGE):$(TAG)-$(_ARCH) > /dev/null
+	for t in $(TAG) latest $(EXTRA_TAGS); do \
-	test -z "$$(podman image ls -q $(IMAGE):$(TAG)-$(_ARCH))" || echo "Error: Removing image failed"
+		test -z "$$(podman image ls -q $(IMAGE):$${t}-$(_ARCH))" || podman image rm -f $(IMAGE):$${t}-$(_ARCH); \
+		test -z "$$(podman image ls -q $(IMAGE):$${t})" || podman image rm -f $(IMAGE):$${t}; \
+	done
 
 ## some useful tasks during development
 ci-pull-upstream: ## pull latest shared .ci subtree

Dockerfile

@@ -1,9 +1,9 @@
-ARG ARGOCD_VERSION="v2.11.0"
+ARG ARGOCD_VERSION="v2.12.4"
-FROM argoproj/argocd:$ARGOCD_VERSION
+FROM quay.io/argoproj/argocd:$ARGOCD_VERSION
 
-ARG SOPS_VERSION="3.8.1"
+ARG SOPS_VERSION="3.9.1"
-ARG VALS_VERSION="0.37.1"
+ARG VALS_VERSION="0.37.6"
-ARG HELM_SECRETS_VERSION="4.6.0"
+ARG HELM_SECRETS_VERSION="4.6.2"
 ARG ARGOCD_USER_ID="999"
 # vals or sops
 ENV HELM_SECRETS_BACKEND="vals" \
@@ -41,4 +41,4 @@ ADD sa2kubeconfig.sh /usr/local/bin/sa2kubeconfig.sh
 USER ${ARGOCD_USER_ID}
 
 RUN helm plugin install --version ${HELM_SECRETS_VERSION} https://github.com/jkroepke/helm-secrets
-RUN sed -i -e 's/secrets/secrets --evaluate-templates/' "$(helm env HELM_PLUGINS)/helm-secrets/scripts/wrapper/helm.sh"
+RUN mkdir -p /home/argocd/.kube && sed -i -e 's/secrets/secrets --evaluate-templates/' "$(helm env HELM_PLUGINS)/helm-secrets/scripts/wrapper/helm.sh"

renovate.json

@@ -0,0 +1,10 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended",
+    ":label(renovate)",
+    ":semanticCommits",
+    "group:allNonMajor"
+  ],
+  "prHourlyLimit": 0
+}

sa2kubeconfig.sh

@@ -1,11 +1,12 @@
 #!/bin/sh -e
 
-SA_NAME=argocd-repo-server
+KUBECONFIG=$1
+SA_NAME=argo-argocd-repo-server
 
 CA64=$(cat /run/secrets/kubernetes.io/serviceaccount/ca.crt | base64 -w0)
 TOKEN=$(cat /run/secrets/kubernetes.io/serviceaccount/token)
 
-cat << EOF
+cat > $KUBECONFIG << EOF
 apiVersion: v1
 kind: Config
 clusters:
@@ -24,3 +25,5 @@ contexts:
     user: $SA_NAME
 current-context: ${SA_NAME}_context
 EOF
+
+chmod 600 $KUBECONFIG