Merge pull request #1 from mojaloop/upgrade-argo

Upgrade argo
mojaloop · May 23, 2023 · 0ee6e09 · 0ee6e09
2 parents f20e056 + f15c4dd
commit 0ee6e09
Show file tree

Hide file tree

Showing 7 changed files with 38 additions and 72 deletions.
diff --git a/mojaloop/iac/roles/argocd/defaults/main.yaml b/mojaloop/iac/roles/argocd/defaults/main.yaml
@@ -1,10 +1,9 @@
-argocd_version: "2.5.9"
-argocd_lovely_plugin_version: "0.13.3"
-argocd_vault_replacer_version: "0.11.6"
+argocd_version: "2.7.1"
+argocd_lovely_plugin_version: "0.18.0"
 repo_url: "https://localhost/repo.git"
 repo_password: mypassword
 repo_username: user
-external_secrets_version: "0.8.1"
+external_secrets_version: "0.8.2"
 external_secrets_namespace: "external-secrets"
 kubeconfig_location: "/etc/rancher/k3s/k3s.yaml"
 root_app_path: "infra/app-yamls"
diff --git a/mojaloop/iac/roles/argocd/tasks/main.yaml b/mojaloop/iac/roles/argocd/tasks/main.yaml
@@ -28,10 +28,10 @@
     - argo-root-app
     - argo-service-acct-patch
     - argocd-lovely-plugin
-    - argocd-vault-replacer
     - kustomization
     - namespace
     - vault-service-account-etc
+    - vault-env
     #- netclient
 
 - name: Install external-secrets

diff --git a/mojaloop/iac/roles/argocd/templates/argo-cm.yaml.j2 b/mojaloop/iac/roles/argocd/templates/argo-cm.yaml.j2
@@ -15,24 +15,6 @@ data:
       end
     end
     return hs 
-  configManagementPlugins: |-
-    - name: argocd-lovely-plugin
-      generate:
-        command: ["argocd-lovely-plugin"]
-    - name: argocd-vault-replacer
-      generate:
-        command: ["argocd-vault-replacer"]
-    - name: kustomize-argocd-vault-replacer
-      generate:
-        command: ["sh", "-c"]
-        args: ["kustomize build . | argocd-vault-replacer"]
-    - name: helm-argocd-vault-replacer
-      init:
-        command: ["/bin/sh", "-c"]
-        args: ["helm dependency build"]
-      generate:
-        command: [sh, -c]
-        args: ["helm template -n $ARGOCD_APP_NAMESPACE $ARGOCD_APP_NAME . | argocd-vault-replacer"]
 kind: ConfigMap
 metadata:
   labels:

diff --git a/mojaloop/iac/roles/argocd/templates/argocd-lovely-plugin.yaml.j2 b/mojaloop/iac/roles/argocd/templates/argocd-lovely-plugin.yaml.j2
@@ -7,22 +7,29 @@ spec:
   template:
     spec:
       containers:
-      - name: argocd-repo-server
-        volumeMounts:
-        - name: custom-tools
-          mountPath: /usr/local/bin/argocd-lovely-plugin
-          subPath: argocd-lovely-plugin
-        # Environment Variables are optional
-        env:
-          - name: ARGOCD_ENV_LOVELY_PLUGINS
-            value: argocd-vault-replacer
+        - name: lovely-plugin
+          # This command is actually already set in the image.
+          command: [/var/run/argocd/argocd-cmp-server] # Entrypoint should be Argo CD lightweight CMP server i.e. argocd-cmp-server
+          # Choose your image here - this one has vault replacer in it
+          image: ghcr.io/crumbhole/argocd-lovely-plugin-cmp-vault:{{ argocd_lovely_plugin_version }}
+          # Here we are configuring default evironment for every app - in this case vault
+          envFrom:
+            - secretRef:
+                name: vault-env
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 999
+          volumeMounts:
+              # Import the repo-server's pliugin binary
+            - mountPath: /var/run/argocd
+              name: var-files
+            - mountPath: /home/argocd/cmp-server/plugins
+              name: plugins
+              # Starting with v2.4, do NOT mount the same tmp volume as the repo-server container. The filesystem separation helps
+              # mitigate path traversal attacks.
+            - mountPath: /tmp
+              name: lovely-tmp
       volumes:
-      - name: custom-tools
-        emptyDir: {}
-      initContainers:
-      - name: argocd-lovely-plugin-download
-        image: ghcr.io/crumbhole/argocd-lovely-plugin:{{ argocd_lovely_plugin_version }}
-        imagePullPolicy: Always
-        volumeMounts:
-          - mountPath: /custom-tools
-            name: custom-tools
+        # A temporary directory for the tool to work in.
+        - emptyDir: {}
+          name: lovely-tmp
diff --git a/mojaloop/iac/roles/argocd/templates/argocd-vault-replacer.yaml.j2 b/mojaloop/iac/roles/argocd/templates/argocd-vault-replacer.yaml.j2
diff --git a/mojaloop/iac/roles/argocd/templates/kustomization.yaml.j2 b/mojaloop/iac/roles/argocd/templates/kustomization.yaml.j2
@@ -9,6 +9,7 @@ resources:
 - namespace.yaml
 - vault-service-account-etc.yaml
 - argo-gitlab.yaml
+- vault-env.yaml
 #- netclient.yaml
 
 patches:
@@ -20,10 +21,6 @@ patches:
   target:
     kind: Deployment
     name: argocd-repo-server
-- path: argocd-vault-replacer.yaml
-  target:
-    kind: Deployment
-    name: argocd-repo-server
 - path: argo-service-acct-patch.yaml
   target:
     kind: Deployment

diff --git a/mojaloop/iac/roles/argocd/templates/vault-env.yaml.j2 b/mojaloop/iac/roles/argocd/templates/vault-env.yaml.j2
@@ -0,0 +1,8 @@
+apiVersion: v1
+stringData:
+  VAULT_ADDR: http://vault.vault.svc.cluster.local:8200
+  VAULT_AUTH_PATH: kubernetes
+kind: Secret
+metadata:
+  name: vault-env
+type: Opaque