.ci/podman.mk

@@ -1,13 +1,3 @@
-SHELL := bash
-.SHELLFLAGS := -eu -o pipefail -c
-.DELETE_ON_ERROR:
-.SILENT: ; # no need for @
-.ONESHELL: ; # recipes execute in same shell
-.NOTPARALLEL: ; # wait for this target to finish
-.EXPORT_ALL_VARIABLES: ; # send all vars to shell
-.PHONY: all # All targets are accessible for user
-.DEFAULT: help # Running Make will run the help target
-
 # Parse version from latest git semver tag
 GIT_TAG ?= $(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null)
 GIT_BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null)
@@ -33,6 +23,13 @@ ifneq ($(TRIVY_REMOTE),)
 	TRIVY_OPTS ::= --server $(TRIVY_REMOTE)
 endif
 
+.SILENT: ; # no need for @
+.ONESHELL: ; # recipes execute in same shell
+.NOTPARALLEL: ; # wait for this target to finish
+.EXPORT_ALL_VARIABLES: ; # send all vars to shell
+.PHONY: all # All targets are accessible for user
+.DEFAULT: help # Running Make will run the help target
+
 help: ## Show Help
 	grep -E '^[a-zA-Z_-]+:.*?## .*$$' .ci/podman.mk | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
 
@@ -43,7 +40,7 @@ fmt:: ## auto format source
 lint:: ## Lint source
 
 build: ## Build the app
-	podman build --rm --layers -t $(IMAGE):$(TAG)-$(_ARCH) --build-arg TAG=$(TAG) --build-arg ARCH=$(_ARCH) --platform linux/$(_ARCH) .
+	buildah build --rm --layers -t $(IMAGE):$(TAG)-$(_ARCH) --build-arg TAG=$(TAG) --build-arg ARCH=$(_ARCH) --platform linux/$(_ARCH) .
 
 test:: ## test built artificats
 
@@ -54,17 +51,16 @@ scan: ## Scan image using trivy
 # first tag and push all actual images
 # create new manifest for each tag and add all available TAG-ARCH before pushing
 push: ecr-login ## push images to registry
-	for t in $(TAG) latest $(EXTRA_TAGS); do
+	for t in $(TAG) latest $(EXTRA_TAGS); do \
 		echo "Tagging image with $(REGISTRY)/$(IMAGE):$${t}-$(ARCH)"
-		podman tag $(IMAGE):$(TAG)-$(_ARCH) $(REGISTRY)/$(IMAGE):$${t}-$(_ARCH)
-		podman manifest rm $(IMAGE):$$t || true
-		podman manifest create $(IMAGE):$$t
-		for a in $(ALL_ARCHS); do
-			podman image exists $(REGISTRY)/$(IMAGE):$$t-$$a && \
-			podman manifest add $(IMAGE):$$t containers-storage:$(REGISTRY)/$(IMAGE):$$t-$$a
-		done
+		buildah tag $(IMAGE):$(TAG)-$(_ARCH) $(REGISTRY)/$(IMAGE):$${t}-$(_ARCH); \
+		buildah manifest rm $(IMAGE):$$t || true; \
+		buildah manifest create $(IMAGE):$$t; \
+		for a in $(ALL_ARCHS); do \
+			buildah manifest add $(IMAGE):$$t $(REGISTRY)/$(IMAGE):$(TAG)-$$a; \
+		done; \
 		echo "Pushing manifest $(IMAGE):$$t"
-		podman manifest push --all $(IMAGE):$$t docker://$(REGISTRY)/$(IMAGE):$$t
+		buildah manifest push --all $(IMAGE):$$t docker://$(REGISTRY)/$(IMAGE):$$t; \
 	done
 
 ecr-login: ## log into AWS ECR public
@@ -77,15 +73,14 @@ rm-remote-untagged: ## delete all remote untagged and in-dev images, keep 10 tag
 clean:: ## clean up source folder
 
 rm-image:
-	for t in $(TAG) latest $(EXTRA_TAGS); do
-		for a in $(ALL_ARCHS); do
-			podman image exists $(IMAGE):$$t-$$a && podman image rm -f $(IMAGE):$$t-$$a || true
-		done
+	for t in $(TAG) latest $(EXTRA_TAGS); do \
+		test -z "$$(podman image ls -q $(IMAGE):$${t}-$(_ARCH))" || podman image rm -f $(IMAGE):$${t}-$(_ARCH); \
+		test -z "$$(podman image ls -q $(IMAGE):$${t})" || podman image rm -f $(IMAGE):$${t}; \
 	done
 
 ## some useful tasks during development
 ci-pull-upstream: ## pull latest shared .ci subtree
-	git subtree pull --prefix .ci ssh://git@git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git main --squash -m "Merge latest ci-tools-lib"
+	git subtree pull --prefix .ci ssh://git@git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash -m "Merge latest ci-tools-lib"
 
 create-repo: ## create new AWS ECR public repository
 	aws ecr-public create-repository --repository-name $(IMAGE) --region $(REGION)

Dockerfile

@@ -1,23 +1,18 @@
-FROM quay.io/argoproj/argocd:v2.14.9
-
-# renovate: datasource=github-releases depName=sops packageName=getsops/sops
-ARG SOPS_VERSION=v3.10.1
-# renovate: datasource=github-releases depName=vals packageName=helmfile/vals
-ARG VALS_VERSION=v0.40.1
-# renovate: datasource=github-releases depName=helm-secrets packageName=jkroepke/helm-secrets
-ARG HELM_SECRETS_VERSION=v4.6.3
+ARG ARGOCD_VERSION="v2.12.4"
+FROM quay.io/argoproj/argocd:$ARGOCD_VERSION
 
+ARG SOPS_VERSION="3.9.1"
+ARG VALS_VERSION="0.37.6"
+ARG HELM_SECRETS_VERSION="4.6.2"
 ARG ARGOCD_USER_ID="999"
-
-# set Vals
+# vals or sops
 ENV HELM_SECRETS_BACKEND="vals" \
     HELM_SECRETS_HELM_PATH=/usr/local/bin/helm \
     HELM_PLUGINS="/home/argocd/.local/share/helm/plugins/" \
     HELM_SECRETS_VALUES_ALLOW_SYMLINKS=false \
     HELM_SECRETS_VALUES_ALLOW_ABSOLUTE_PATH=true \
     HELM_SECRETS_VALUES_ALLOW_PATH_TRAVERSAL=false \
-    HELM_SECRETS_WRAPPER_ENABLED=true \
-    KUBECONFIG=/tmp/kubectl.config
+    HELM_SECRETS_WRAPPER_ENABLED=true
 
 # Optionally, set default gpg key for sops files
 # ENV HELM_SECRETS_LOAD_GPG_KEYS=/path/to/gpg.key
@@ -29,22 +24,21 @@ RUN apt-get update && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
-# sops (use via vals!)
-RUN curl -fsSL https://github.com/getsops/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux.amd64 \
-    -o /usr/local/bin/sops && chmod +x /usr/local/bin/sops
+# sops backend installation (optional)
+#RUN curl -fsSL https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux.amd64 \
+#    -o /usr/local/bin/sops && chmod +x /usr/local/bin/sops
 
-# vals backend installation
-RUN curl -fsSL https://github.com/helmfile/vals/releases/download/${VALS_VERSION}/vals_${VALS_VERSION#v}_linux_amd64.tar.gz \
+# vals backend installation (optional)
+RUN curl -fsSL https://github.com/helmfile/vals/releases/download/v${VALS_VERSION}/vals_${VALS_VERSION}_linux_amd64.tar.gz \
     | tar xzf - -C /usr/local/bin/ vals \
     && chmod +x /usr/local/bin/vals
 
-RUN ln -sf "$(helm env HELM_PLUGINS)/helm-secrets/scripts/wrapper/helm.sh" /usr/local/sbin/helm && \
-    rm -f /usr/local/bin/argocd-repo-server
+RUN ln -sf "$(helm env HELM_PLUGINS)/helm-secrets/scripts/wrapper/helm.sh" /usr/local/sbin/helm
 
-# replace argocd-repo-server with wrapper to install kubectl config
-ADD argocd-repo-server-wrapper.sh /usr/local/bin/argocd-repo-server
+# Add init script to convert SA token into kubeconfig for vals
+ADD sa2kubeconfig.sh /usr/local/bin/sa2kubeconfig.sh
 
 USER ${ARGOCD_USER_ID}
 
-RUN helm plugin install --version ${HELM_SECRETS_VERSION#v} https://github.com/jkroepke/helm-secrets
-RUN sed -i -e 's/secrets/secrets --evaluate-templates/' "$(helm env HELM_PLUGINS)/helm-secrets/scripts/wrapper/helm.sh"
+RUN helm plugin install --version ${HELM_SECRETS_VERSION} https://github.com/jkroepke/helm-secrets
+RUN mkdir -p /home/argocd/.kube && sed -i -e 's/secrets/secrets --evaluate-templates/' "$(helm env HELM_PLUGINS)/helm-secrets/scripts/wrapper/helm.sh"

Jenkinsfile

@@ -1,4 +1,4 @@
-library identifier: 'zdt-lib@main', retriever: modernSCM(
+library identifier: 'zdt-lib@master', retriever: modernSCM(
   [$class: 'GitSCMSource',
    remote: 'https://git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git'])
 

README.md

@@ -1,11 +1,10 @@
 # zdt-argocd
 
-Customized ArgoCD image for KubeZero
+Customize ArgoCD image for KubeZero
 
 ## Changes
-- added sops, helm-secrets and vals binaries
-- configured helm-secrets to use vals backend
-- argocd-repo-server wrapper script to allow vals to access the local cluster Kube API using Argo's SA account to eg. lookup values from a central secret
+- added helm-secrets
+- added vals
 
 ## Credits:
 - https://github.com/jkroepke/helm-secrets/wiki/ArgoCD-Integration#option-1-custom-docker-image

renovate.json

@@ -6,15 +6,5 @@
     ":semanticCommits",
     "group:allNonMajor"
   ],
-  "prHourlyLimit": 0,
-  "customManagers": [
-    {
-      "customType": "regex",
-      "description": "Update _VERSION variables in Dockerfiles",
-      "fileMatch": ["(^|/|\\.)Dockerfile$", "(^|/)Dockerfile\\.[^/]*$"],
-      "matchStrings": [
-        "# renovate: datasource=(?<datasource>[a-z-]+?)(?: depName=(?<depName>.+?))? packageName=(?<packageName>.+?)(?: versioning=(?<versioning>[a-z-]+?))?\\s(?:ENV|ARG) .+?_VERSION=(?<currentValue>.+?)\\s"
-      ]
-    }
-  ]
+  "prHourlyLimit": 0
 }

sa2kubeconfig.sh

@@ -1,6 +1,6 @@
-#!/bin/sh
+#!/bin/sh -e
 
-KUBECONFIG=/tmp/kubectl.config
+KUBECONFIG=$1
 SA_NAME=argo-argocd-repo-server
 
 CA64=$(cat /run/secrets/kubernetes.io/serviceaccount/ca.crt | base64 -w0)
@@ -27,5 +27,3 @@ current-context: ${SA_NAME}_context
 EOF
 
 chmod 600 $KUBECONFIG
-
-ARGOCD_BINARY_NAME=argocd-repo-server /usr/local/bin/argocd $@