diff --git a/mojaloop/iac/roles/argocd/defaults/main.yaml b/mojaloop/iac/roles/argocd/defaults/main.yaml index 922eef5c..2eb19076 100644 --- a/mojaloop/iac/roles/argocd/defaults/main.yaml +++ b/mojaloop/iac/roles/argocd/defaults/main.yaml @@ -1,10 +1,9 @@ -argocd_version: "2.5.9" -argocd_lovely_plugin_version: "0.13.3" -argocd_vault_replacer_version: "0.11.6" +argocd_version: "2.7.1" +argocd_lovely_plugin_version: "0.18.0" repo_url: "https://localhost/repo.git" repo_password: mypassword repo_username: user -external_secrets_version: "0.8.1" +external_secrets_version: "0.8.2" external_secrets_namespace: "external-secrets" kubeconfig_location: "/etc/rancher/k3s/k3s.yaml" root_app_path: "infra/app-yamls" \ No newline at end of file diff --git a/mojaloop/iac/roles/argocd/tasks/main.yaml b/mojaloop/iac/roles/argocd/tasks/main.yaml index 194f8918..d891452a 100644 --- a/mojaloop/iac/roles/argocd/tasks/main.yaml +++ b/mojaloop/iac/roles/argocd/tasks/main.yaml @@ -28,10 +28,10 @@ - argo-root-app - argo-service-acct-patch - argocd-lovely-plugin - - argocd-vault-replacer - kustomization - namespace - vault-service-account-etc + - vault-env #- netclient - name: Install external-secrets diff --git a/mojaloop/iac/roles/argocd/templates/argo-cm.yaml.j2 b/mojaloop/iac/roles/argocd/templates/argo-cm.yaml.j2 index ebad8409..1cad4892 100644 --- a/mojaloop/iac/roles/argocd/templates/argo-cm.yaml.j2 +++ b/mojaloop/iac/roles/argocd/templates/argo-cm.yaml.j2 @@ -15,24 +15,6 @@ data: end end return hs - configManagementPlugins: |- - - name: argocd-lovely-plugin - generate: - command: ["argocd-lovely-plugin"] - - name: argocd-vault-replacer - generate: - command: ["argocd-vault-replacer"] - - name: kustomize-argocd-vault-replacer - generate: - command: ["sh", "-c"] - args: ["kustomize build . | argocd-vault-replacer"] - - name: helm-argocd-vault-replacer - init: - command: ["/bin/sh", "-c"] - args: ["helm dependency build"] - generate: - command: [sh, -c] - args: ["helm template -n $ARGOCD_APP_NAMESPACE $ARGOCD_APP_NAME . | argocd-vault-replacer"] kind: ConfigMap metadata: labels: diff --git a/mojaloop/iac/roles/argocd/templates/argocd-lovely-plugin.yaml.j2 b/mojaloop/iac/roles/argocd/templates/argocd-lovely-plugin.yaml.j2 index 6dce549b..c29f83db 100644 --- a/mojaloop/iac/roles/argocd/templates/argocd-lovely-plugin.yaml.j2 +++ b/mojaloop/iac/roles/argocd/templates/argocd-lovely-plugin.yaml.j2 @@ -7,22 +7,29 @@ spec: template: spec: containers: - - name: argocd-repo-server - volumeMounts: - - name: custom-tools - mountPath: /usr/local/bin/argocd-lovely-plugin - subPath: argocd-lovely-plugin - # Environment Variables are optional - env: - - name: ARGOCD_ENV_LOVELY_PLUGINS - value: argocd-vault-replacer + - name: lovely-plugin + # This command is actually already set in the image. + command: [/var/run/argocd/argocd-cmp-server] # Entrypoint should be Argo CD lightweight CMP server i.e. argocd-cmp-server + # Choose your image here - this one has vault replacer in it + image: ghcr.io/crumbhole/argocd-lovely-plugin-cmp-vault:{{ argocd_lovely_plugin_version }} + # Here we are configuring default evironment for every app - in this case vault + envFrom: + - secretRef: + name: vault-env + securityContext: + runAsNonRoot: true + runAsUser: 999 + volumeMounts: + # Import the repo-server's pliugin binary + - mountPath: /var/run/argocd + name: var-files + - mountPath: /home/argocd/cmp-server/plugins + name: plugins + # Starting with v2.4, do NOT mount the same tmp volume as the repo-server container. The filesystem separation helps + # mitigate path traversal attacks. + - mountPath: /tmp + name: lovely-tmp volumes: - - name: custom-tools - emptyDir: {} - initContainers: - - name: argocd-lovely-plugin-download - image: ghcr.io/crumbhole/argocd-lovely-plugin:{{ argocd_lovely_plugin_version }} - imagePullPolicy: Always - volumeMounts: - - mountPath: /custom-tools - name: custom-tools + # A temporary directory for the tool to work in. + - emptyDir: {} + name: lovely-tmp \ No newline at end of file diff --git a/mojaloop/iac/roles/argocd/templates/argocd-vault-replacer.yaml.j2 b/mojaloop/iac/roles/argocd/templates/argocd-vault-replacer.yaml.j2 deleted file mode 100644 index 0424df64..00000000 --- a/mojaloop/iac/roles/argocd/templates/argocd-vault-replacer.yaml.j2 +++ /dev/null @@ -1,27 +0,0 @@ -# Downloads the plugin and moves it to /custom-tools, which is then mounted on the argocd-repo-server -apiVersion: apps/v1 -kind: Deployment -metadata: - name: argocd-vault-replacer -spec: - template: - spec: - containers: - - name: argocd-repo-server - volumeMounts: - - name: custom-tools - mountPath: /usr/local/bin/argocd-vault-replacer - subPath: argocd-vault-replacer - env: - - name: VAULT_ADDR - value: http://vault.vault.svc.cluster.local:8200 - volumes: - - name: custom-tools - emptyDir: {} - initContainers: - - name: argocd-vault-replacer-download - image: ghcr.io/crumbhole/argocd-vault-replacer:{{ argocd_vault_replacer_version }} - imagePullPolicy: Always - volumeMounts: - - mountPath: /custom-tools - name: custom-tools diff --git a/mojaloop/iac/roles/argocd/templates/kustomization.yaml.j2 b/mojaloop/iac/roles/argocd/templates/kustomization.yaml.j2 index 916dd0dc..31f7c578 100644 --- a/mojaloop/iac/roles/argocd/templates/kustomization.yaml.j2 +++ b/mojaloop/iac/roles/argocd/templates/kustomization.yaml.j2 @@ -9,6 +9,7 @@ resources: - namespace.yaml - vault-service-account-etc.yaml - argo-gitlab.yaml +- vault-env.yaml #- netclient.yaml patches: @@ -20,10 +21,6 @@ patches: target: kind: Deployment name: argocd-repo-server -- path: argocd-vault-replacer.yaml - target: - kind: Deployment - name: argocd-repo-server - path: argo-service-acct-patch.yaml target: kind: Deployment diff --git a/mojaloop/iac/roles/argocd/templates/vault-env.yaml.j2 b/mojaloop/iac/roles/argocd/templates/vault-env.yaml.j2 new file mode 100644 index 00000000..31f17447 --- /dev/null +++ b/mojaloop/iac/roles/argocd/templates/vault-env.yaml.j2 @@ -0,0 +1,8 @@ +apiVersion: v1 +stringData: + VAULT_ADDR: http://vault.vault.svc.cluster.local:8200 + VAULT_AUTH_PATH: kubernetes +kind: Secret +metadata: + name: vault-env +type: Opaque \ No newline at end of file