.ci/README.md

@@ -14,7 +14,7 @@ include .ci/podman.mk
 
 Add subtree to your project:
 ```
-git subtree add --prefix .ci https://git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git main --squash
+git subtree add --prefix .ci https://git.zero-downtime.net/ZeroDownTime/ci-tools-lib.git master --squash
 ```
 
 

.ci/ecr_public_lifecycle.py

@@ -41,8 +41,7 @@ for image in sorted(images, key=lambda d: d['imagePushedAt'], reverse=True):
         _delete = True
         for tag in image["imageTags"]:
             # Look for at least one tag NOT beign a SemVer dev tag
-            # untagged dev builds get tagged as <tag>-g<commit>
+            if "-" not in tag:
-            if "-g" not in tag and "dirty" not in tag:
                 _delete = False
         if _delete:
             print("Deleting development image {}".format(image["imageTags"]))

.ci/podman.mk

@@ -8,8 +8,8 @@ SHELL := bash
 .PHONY: all # All targets are accessible for user
 .DEFAULT: help # Running Make will run the help target
 
-# Parse version from latest git semver tag, use short commit otherwise
+# Parse version from latest git semver tag
-GIT_TAG ?= $(shell git describe --tags --match v*.*.* --dirty 2>/dev/null || git describe --match="" --always --dirty 2>/dev/null)
+GIT_TAG ?= $(shell git describe --tags --match v*.*.* 2>/dev/null || git rev-parse --short HEAD 2>/dev/null)
 GIT_BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD 2>/dev/null)
 
 TAG ::= $(GIT_TAG)

Dockerfile

@@ -1,11 +1,11 @@
-FROM quay.io/argoproj/argocd:v2.14.10
+FROM quay.io/argoproj/argocd:v2.13.1
 
 # renovate: datasource=github-releases depName=sops packageName=getsops/sops
-ARG SOPS_VERSION=v3.10.2
+ARG SOPS_VERSION=v3.9.2
 # renovate: datasource=github-releases depName=vals packageName=helmfile/vals
-ARG VALS_VERSION=v0.40.1
+ARG VALS_VERSION=v0.38.0
 # renovate: datasource=github-releases depName=helm-secrets packageName=jkroepke/helm-secrets
-ARG HELM_SECRETS_VERSION=v4.6.3
+ARG HELM_SECRETS_VERSION=v4.6.2
 
 ARG ARGOCD_USER_ID="999"
 
@@ -16,8 +16,7 @@ ENV HELM_SECRETS_BACKEND="vals" \
     HELM_SECRETS_VALUES_ALLOW_SYMLINKS=false \
     HELM_SECRETS_VALUES_ALLOW_ABSOLUTE_PATH=true \
     HELM_SECRETS_VALUES_ALLOW_PATH_TRAVERSAL=false \
-    HELM_SECRETS_WRAPPER_ENABLED=true \
+    HELM_SECRETS_WRAPPER_ENABLED=true
-    KUBECONFIG=/tmp/kubectl.config
 
 # Optionally, set default gpg key for sops files
 # ENV HELM_SECRETS_LOAD_GPG_KEYS=/path/to/gpg.key
@@ -38,21 +37,12 @@ RUN curl -fsSL https://github.com/helmfile/vals/releases/download/${VALS_VERSION
     | tar xzf - -C /usr/local/bin/ vals \
     && chmod +x /usr/local/bin/vals
 
-# helm-secrets
+RUN ln -sf "$(helm env HELM_PLUGINS)/helm-secrets/scripts/wrapper/helm.sh" /usr/local/sbin/helm
-RUN mkdir -p /home/argocd/.local/share/helm/plugins && \
-    curl -fsSL https://github.com/jkroepke/helm-secrets/releases/download/${HELM_SECRETS_VERSION}/helm-secrets.tar.gz \
-    | tar -C /home/argocd/.local/share/helm/plugins -xzf- && \
-    chown -R root: /home/argocd/.local/share/helm && \
-    ln -sf /home/argocd/.local/share/helm/plugins/helm-secrets/scripts/wrapper/helm.sh /usr/local/sbin/helm && \
-    sed -i -e 's/secrets/secrets --evaluate-templates/' /home/argocd/.local/share/helm/plugins/helm-secrets/scripts/wrapper/helm.sh && \
-    rm -f /usr/local/bin/argocd-repo-server
 
-
+# Add init script to convert SA token into kubeconfig for vals
-
+ADD sa2kubeconfig.sh /usr/local/bin/sa2kubeconfig.sh
-# replace argocd-repo-server with wrapper to install kubectl config
-ADD argocd-repo-server-wrapper.sh /usr/local/bin/argocd-repo-server
-
-# register vals "cmp plugin"
-ADD plugin.yaml /home/argocd/cmp-server/config/plugin.yaml
 
 USER ${ARGOCD_USER_ID}
+
+RUN helm plugin install --version ${HELM_SECRETS_VERSION#v} https://github.com/jkroepke/helm-secrets
+RUN mkdir -p /home/argocd/.kube && sed -i -e 's/secrets/secrets --evaluate-templates/' "$(helm env HELM_PLUGINS)/helm-secrets/scripts/wrapper/helm.sh"

README.md

@@ -5,7 +5,7 @@ Customized ArgoCD image for KubeZero
 ## Changes
 - added sops, helm-secrets and vals binaries
 - configured helm-secrets to use vals backend
-- argocd-repo-server wrapper script to allow vals to access the local cluster Kube API using Argo's SA account to eg. lookup values from a central secret
+- init script to allow vals to access the local cluster Kube API using Argo's SA account to eg. lookup values from a central secret
 
 ## Credits:
 - https://github.com/jkroepke/helm-secrets/wiki/ArgoCD-Integration#option-1-custom-docker-image

plugin.yaml

@@ -1,10 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ConfigManagementPlugin
-metadata:
-  name: kubezero-git-sync
-spec:
-  generate:
-    command: [sh, -c, 'find . -name "*.yaml" -o -name "*.yml" | while read f; do cat $f; echo; echo "---"; done | vals eval -f -']
-# discover:
-#   find:
-#     command: [sh, -c, find . -name "*.yaml"]

sa2kubeconfig.sh

@@ -1,6 +1,6 @@
-#!/bin/sh
+#!/bin/sh -e
 
-KUBECONFIG=/tmp/kubectl.config
+KUBECONFIG=$1
 SA_NAME=argo-argocd-repo-server
 
 CA64=$(cat /run/secrets/kubernetes.io/serviceaccount/ca.crt | base64 -w0)
@@ -27,5 +27,3 @@ current-context: ${SA_NAME}_context
 EOF
 
 chmod 600 $KUBECONFIG
-
-ARGOCD_BINARY_NAME=argocd-repo-server /usr/local/bin/argocd $@