fix: workaround for yaml NOT ending with CR/LF

Reviewed-on: #8

Dockerfile

@@ -1,11 +1,11 @@
-FROM quay.io/argoproj/argocd:v2.13.1
+FROM quay.io/argoproj/argocd:v2.14.9
 
 # renovate: datasource=github-releases depName=sops packageName=getsops/sops
-ARG SOPS_VERSION=v3.9.2
+ARG SOPS_VERSION=v3.10.1
 # renovate: datasource=github-releases depName=vals packageName=helmfile/vals
-ARG VALS_VERSION=v0.38.0
+ARG VALS_VERSION=v0.40.1
 # renovate: datasource=github-releases depName=helm-secrets packageName=jkroepke/helm-secrets
-ARG HELM_SECRETS_VERSION=v4.6.2
+ARG HELM_SECRETS_VERSION=v4.6.3
 
 ARG ARGOCD_USER_ID="999"
 
@@ -16,7 +16,8 @@ ENV HELM_SECRETS_BACKEND="vals" \
     HELM_SECRETS_VALUES_ALLOW_SYMLINKS=false \
     HELM_SECRETS_VALUES_ALLOW_ABSOLUTE_PATH=true \
     HELM_SECRETS_VALUES_ALLOW_PATH_TRAVERSAL=false \
-    HELM_SECRETS_WRAPPER_ENABLED=true
+    HELM_SECRETS_WRAPPER_ENABLED=true \
+    KUBECONFIG=/tmp/kubectl.config
 
 # Optionally, set default gpg key for sops files
 # ENV HELM_SECRETS_LOAD_GPG_KEYS=/path/to/gpg.key
@@ -37,12 +38,21 @@ RUN curl -fsSL https://github.com/helmfile/vals/releases/download/${VALS_VERSION
     | tar xzf - -C /usr/local/bin/ vals \
     && chmod +x /usr/local/bin/vals
 
-RUN ln -sf "$(helm env HELM_PLUGINS)/helm-secrets/scripts/wrapper/helm.sh" /usr/local/sbin/helm
+# helm-secrets
+RUN mkdir -p /home/argocd/.local/share/helm/plugins && \
+    curl -fsSL https://github.com/jkroepke/helm-secrets/releases/download/${HELM_SECRETS_VERSION}/helm-secrets.tar.gz \
+    | tar -C /home/argocd/.local/share/helm/plugins -xzf- && \
+    chown -R root: /home/argocd/.local/share/helm && \
+    ln -sf /home/argocd/.local/share/helm/plugins/helm-secrets/scripts/wrapper/helm.sh /usr/local/sbin/helm && \
+    sed -i -e 's/secrets/secrets --evaluate-templates/' /home/argocd/.local/share/helm/plugins/helm-secrets/scripts/wrapper/helm.sh && \
+    rm -f /usr/local/bin/argocd-repo-server
 
-# Add init script to convert SA token into kubeconfig for vals
+
-ADD sa2kubeconfig.sh /usr/local/bin/sa2kubeconfig.sh
+
+# replace argocd-repo-server with wrapper to install kubectl config
+ADD argocd-repo-server-wrapper.sh /usr/local/bin/argocd-repo-server
+
+# register vals "cmp plugin"
+ADD plugin.yaml /home/argocd/cmp-server/config/plugin.yaml
 
 USER ${ARGOCD_USER_ID}
-
-RUN helm plugin install --version ${HELM_SECRETS_VERSION#v} https://github.com/jkroepke/helm-secrets
-RUN mkdir -p /home/argocd/.kube && sed -i -e 's/secrets/secrets --evaluate-templates/' "$(helm env HELM_PLUGINS)/helm-secrets/scripts/wrapper/helm.sh"

README.md

@@ -5,7 +5,7 @@ Customized ArgoCD image for KubeZero
 ## Changes
 - added sops, helm-secrets and vals binaries
 - configured helm-secrets to use vals backend
-- init script to allow vals to access the local cluster Kube API using Argo's SA account to eg. lookup values from a central secret
+- argocd-repo-server wrapper script to allow vals to access the local cluster Kube API using Argo's SA account to eg. lookup values from a central secret
 
 ## Credits:
 - https://github.com/jkroepke/helm-secrets/wiki/ArgoCD-Integration#option-1-custom-docker-image

argocd-repo-server-wrapper.sh

@@ -1,6 +1,6 @@
-#!/bin/sh -e
+#!/bin/sh
 
-KUBECONFIG=$1
+KUBECONFIG=/tmp/kubectl.config
 SA_NAME=argo-argocd-repo-server
 
 CA64=$(cat /run/secrets/kubernetes.io/serviceaccount/ca.crt | base64 -w0)
@@ -27,3 +27,5 @@ current-context: ${SA_NAME}_context
 EOF
 
 chmod 600 $KUBECONFIG
+
+ARGOCD_BINARY_NAME=argocd-repo-server /usr/local/bin/argocd $@

plugin.yaml

@@ -0,0 +1,10 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ConfigManagementPlugin
+metadata:
+  name: kubezero-git-sync
+spec:
+  generate:
+    command: [sh, -c, 'find . -name "*.yaml" -o -name "*.yml" | while read f; do cat $f; echo; echo "---"; done | vals eval -f -']
+# discover:
+#   find:
+#     command: [sh, -c, find . -name "*.yaml"]