FROM quay.io/argoproj/argocd:v2.13.1

# renovate: datasource=github-releases depName=sops packageName=getsops/sops
ARG SOPS_VERSION=v3.9.2
# renovate: datasource=github-releases depName=vals packageName=helmfile/vals
ARG VALS_VERSION=v0.38.0
# renovate: datasource=github-releases depName=helm-secrets packageName=jkroepke/helm-secrets
ARG HELM_SECRETS_VERSION=v4.6.2

ARG ARGOCD_USER_ID="999"

# set Vals
ENV HELM_SECRETS_BACKEND="vals" \
    HELM_SECRETS_HELM_PATH=/usr/local/bin/helm \
    HELM_PLUGINS="/home/argocd/.local/share/helm/plugins/" \
    HELM_SECRETS_VALUES_ALLOW_SYMLINKS=false \
    HELM_SECRETS_VALUES_ALLOW_ABSOLUTE_PATH=true \
    HELM_SECRETS_VALUES_ALLOW_PATH_TRAVERSAL=false \
    HELM_SECRETS_WRAPPER_ENABLED=true

# Optionally, set default gpg key for sops files
# ENV HELM_SECRETS_LOAD_GPG_KEYS=/path/to/gpg.key

USER root
RUN apt-get update && \
    apt-get install -y \
      curl && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

# sops (use via vals!)
RUN curl -fsSL https://github.com/getsops/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux.amd64 \
    -o /usr/local/bin/sops && chmod +x /usr/local/bin/sops

# vals backend installation
RUN curl -fsSL https://github.com/helmfile/vals/releases/download/${VALS_VERSION}/vals_${VALS_VERSION#v}_linux_amd64.tar.gz \
    | tar xzf - -C /usr/local/bin/ vals \
    && chmod +x /usr/local/bin/vals

RUN ln -sf "$(helm env HELM_PLUGINS)/helm-secrets/scripts/wrapper/helm.sh" /usr/local/sbin/helm

# Add init script to convert SA token into kubeconfig for vals
ADD sa2kubeconfig.sh /usr/local/bin/sa2kubeconfig.sh

USER ${ARGOCD_USER_ID}

RUN helm plugin install --version ${HELM_SECRETS_VERSION#v} https://github.com/jkroepke/helm-secrets
RUN mkdir -p /home/argocd/.kube && sed -i -e 's/secrets/secrets --evaluate-templates/' "$(helm env HELM_PLUGINS)/helm-secrets/scripts/wrapper/helm.sh"