From 08464fd8768b0dae8abab48ab53ac9f86b5c5ed3 Mon Sep 17 00:00:00 2001
From: David Fry <david.fry@modusbox.com>
Date: Mon, 22 May 2023 19:49:56 +0100
Subject: [PATCH 1/3] upgrade argo

---
 mojaloop/iac/roles/argocd/defaults/main.yaml  |  7 ++-
 mojaloop/iac/roles/argocd/tasks/main.yaml     |  1 +
 .../roles/argocd/templates/argo-cm.yaml.j2    | 31 -------------
 .../templates/argocd-lovely-plugin.yaml.j2    | 43 +++++++++++--------
 .../templates/argocd-vault-replacer.yaml.j2   | 27 ------------
 .../argocd/templates/kustomization.yaml.j2    |  5 +--
 .../roles/argocd/templates/vault-env.yaml.j2  |  8 ++++
 7 files changed, 38 insertions(+), 84 deletions(-)
 delete mode 100644 mojaloop/iac/roles/argocd/templates/argocd-vault-replacer.yaml.j2
 create mode 100644 mojaloop/iac/roles/argocd/templates/vault-env.yaml.j2

diff --git a/mojaloop/iac/roles/argocd/defaults/main.yaml b/mojaloop/iac/roles/argocd/defaults/main.yaml
index 922eef5c..2eb19076 100644
--- a/mojaloop/iac/roles/argocd/defaults/main.yaml
+++ b/mojaloop/iac/roles/argocd/defaults/main.yaml
@@ -1,10 +1,9 @@
-argocd_version: "2.5.9"
-argocd_lovely_plugin_version: "0.13.3"
-argocd_vault_replacer_version: "0.11.6"
+argocd_version: "2.7.1"
+argocd_lovely_plugin_version: "0.18.0"
 repo_url: "https://localhost/repo.git"
 repo_password: mypassword
 repo_username: user
-external_secrets_version: "0.8.1"
+external_secrets_version: "0.8.2"
 external_secrets_namespace: "external-secrets"
 kubeconfig_location: "/etc/rancher/k3s/k3s.yaml"
 root_app_path: "infra/app-yamls"
\ No newline at end of file
diff --git a/mojaloop/iac/roles/argocd/tasks/main.yaml b/mojaloop/iac/roles/argocd/tasks/main.yaml
index 194f8918..291fe351 100644
--- a/mojaloop/iac/roles/argocd/tasks/main.yaml
+++ b/mojaloop/iac/roles/argocd/tasks/main.yaml
@@ -32,6 +32,7 @@
     - kustomization
     - namespace
     - vault-service-account-etc
+    - vault-env
     #- netclient
 
 - name: Install external-secrets
diff --git a/mojaloop/iac/roles/argocd/templates/argo-cm.yaml.j2 b/mojaloop/iac/roles/argocd/templates/argo-cm.yaml.j2
index ebad8409..c93fd6b1 100644
--- a/mojaloop/iac/roles/argocd/templates/argo-cm.yaml.j2
+++ b/mojaloop/iac/roles/argocd/templates/argo-cm.yaml.j2
@@ -2,37 +2,6 @@ apiVersion: v1
 data:
   ui.bannercontent: "initial attempt at deployment of argo with plugins"
   ui.bannerpermanent: "true"
-  resource.customizations.health.argoproj.io_Application: |
-    hs = {}
-    hs.status = "Progressing"
-    hs.message = ""
-    if obj.status ~= nil then
-      if obj.status.health ~= nil then
-        hs.status = obj.status.health.status
-        if obj.status.health.message ~= nil then
-          hs.message = obj.status.health.message
-        end
-      end
-    end
-    return hs 
-  configManagementPlugins: |-
-    - name: argocd-lovely-plugin
-      generate:
-        command: ["argocd-lovely-plugin"]
-    - name: argocd-vault-replacer
-      generate:
-        command: ["argocd-vault-replacer"]
-    - name: kustomize-argocd-vault-replacer
-      generate:
-        command: ["sh", "-c"]
-        args: ["kustomize build . | argocd-vault-replacer"]
-    - name: helm-argocd-vault-replacer
-      init:
-        command: ["/bin/sh", "-c"]
-        args: ["helm dependency build"]
-      generate:
-        command: [sh, -c]
-        args: ["helm template -n $ARGOCD_APP_NAMESPACE $ARGOCD_APP_NAME . | argocd-vault-replacer"]
 kind: ConfigMap
 metadata:
   labels:
diff --git a/mojaloop/iac/roles/argocd/templates/argocd-lovely-plugin.yaml.j2 b/mojaloop/iac/roles/argocd/templates/argocd-lovely-plugin.yaml.j2
index 6dce549b..c29f83db 100644
--- a/mojaloop/iac/roles/argocd/templates/argocd-lovely-plugin.yaml.j2
+++ b/mojaloop/iac/roles/argocd/templates/argocd-lovely-plugin.yaml.j2
@@ -7,22 +7,29 @@ spec:
   template:
     spec:
       containers:
-      - name: argocd-repo-server
-        volumeMounts:
-        - name: custom-tools
-          mountPath: /usr/local/bin/argocd-lovely-plugin
-          subPath: argocd-lovely-plugin
-        # Environment Variables are optional
-        env:
-          - name: ARGOCD_ENV_LOVELY_PLUGINS
-            value: argocd-vault-replacer
+        - name: lovely-plugin
+          # This command is actually already set in the image.
+          command: [/var/run/argocd/argocd-cmp-server] # Entrypoint should be Argo CD lightweight CMP server i.e. argocd-cmp-server
+          # Choose your image here - this one has vault replacer in it
+          image: ghcr.io/crumbhole/argocd-lovely-plugin-cmp-vault:{{ argocd_lovely_plugin_version }}
+          # Here we are configuring default evironment for every app - in this case vault
+          envFrom:
+            - secretRef:
+                name: vault-env
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 999
+          volumeMounts:
+              # Import the repo-server's pliugin binary
+            - mountPath: /var/run/argocd
+              name: var-files
+            - mountPath: /home/argocd/cmp-server/plugins
+              name: plugins
+              # Starting with v2.4, do NOT mount the same tmp volume as the repo-server container. The filesystem separation helps
+              # mitigate path traversal attacks.
+            - mountPath: /tmp
+              name: lovely-tmp
       volumes:
-      - name: custom-tools
-        emptyDir: {}
-      initContainers:
-      - name: argocd-lovely-plugin-download
-        image: ghcr.io/crumbhole/argocd-lovely-plugin:{{ argocd_lovely_plugin_version }}
-        imagePullPolicy: Always
-        volumeMounts:
-          - mountPath: /custom-tools
-            name: custom-tools
+        # A temporary directory for the tool to work in.
+        - emptyDir: {}
+          name: lovely-tmp
\ No newline at end of file
diff --git a/mojaloop/iac/roles/argocd/templates/argocd-vault-replacer.yaml.j2 b/mojaloop/iac/roles/argocd/templates/argocd-vault-replacer.yaml.j2
deleted file mode 100644
index 0424df64..00000000
--- a/mojaloop/iac/roles/argocd/templates/argocd-vault-replacer.yaml.j2
+++ /dev/null
@@ -1,27 +0,0 @@
-# Downloads the plugin and moves it to /custom-tools, which is then mounted on the argocd-repo-server
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: argocd-vault-replacer
-spec:
-  template:
-    spec:
-      containers:
-      - name: argocd-repo-server
-        volumeMounts:
-        - name: custom-tools
-          mountPath: /usr/local/bin/argocd-vault-replacer
-          subPath: argocd-vault-replacer
-        env:
-          - name: VAULT_ADDR
-            value: http://vault.vault.svc.cluster.local:8200
-      volumes:
-      - name: custom-tools
-        emptyDir: {}
-      initContainers:
-      - name: argocd-vault-replacer-download
-        image: ghcr.io/crumbhole/argocd-vault-replacer:{{ argocd_vault_replacer_version }}
-        imagePullPolicy: Always
-        volumeMounts:
-          - mountPath: /custom-tools
-            name: custom-tools
diff --git a/mojaloop/iac/roles/argocd/templates/kustomization.yaml.j2 b/mojaloop/iac/roles/argocd/templates/kustomization.yaml.j2
index 916dd0dc..31f7c578 100644
--- a/mojaloop/iac/roles/argocd/templates/kustomization.yaml.j2
+++ b/mojaloop/iac/roles/argocd/templates/kustomization.yaml.j2
@@ -9,6 +9,7 @@ resources:
 - namespace.yaml
 - vault-service-account-etc.yaml
 - argo-gitlab.yaml
+- vault-env.yaml
 #- netclient.yaml
 
 patches:
@@ -20,10 +21,6 @@ patches:
   target:
     kind: Deployment
     name: argocd-repo-server
-- path: argocd-vault-replacer.yaml
-  target:
-    kind: Deployment
-    name: argocd-repo-server
 - path: argo-service-acct-patch.yaml
   target:
     kind: Deployment
diff --git a/mojaloop/iac/roles/argocd/templates/vault-env.yaml.j2 b/mojaloop/iac/roles/argocd/templates/vault-env.yaml.j2
new file mode 100644
index 00000000..31f17447
--- /dev/null
+++ b/mojaloop/iac/roles/argocd/templates/vault-env.yaml.j2
@@ -0,0 +1,8 @@
+apiVersion: v1
+stringData:
+  VAULT_ADDR: http://vault.vault.svc.cluster.local:8200
+  VAULT_AUTH_PATH: kubernetes
+kind: Secret
+metadata:
+  name: vault-env
+type: Opaque
\ No newline at end of file

From 20ad15a3f0740a2507b088bb2dcd5a12ed4e7404 Mon Sep 17 00:00:00 2001
From: David Fry <david.fry@modusbox.com>
Date: Mon, 22 May 2023 20:40:07 +0100
Subject: [PATCH 2/3] rm vaultreplacer

---
 mojaloop/iac/roles/argocd/tasks/main.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/mojaloop/iac/roles/argocd/tasks/main.yaml b/mojaloop/iac/roles/argocd/tasks/main.yaml
index 291fe351..d891452a 100644
--- a/mojaloop/iac/roles/argocd/tasks/main.yaml
+++ b/mojaloop/iac/roles/argocd/tasks/main.yaml
@@ -28,7 +28,6 @@
     - argo-root-app
     - argo-service-acct-patch
     - argocd-lovely-plugin
-    - argocd-vault-replacer
     - kustomization
     - namespace
     - vault-service-account-etc

From f15c4ddf3d629e04a513f2a12a398d511272e4fa Mon Sep 17 00:00:00 2001
From: David Fry <david.fry@modusbox.com>
Date: Mon, 22 May 2023 23:23:01 +0100
Subject: [PATCH 3/3] fix app status

---
 mojaloop/iac/roles/argocd/templates/argo-cm.yaml.j2 | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/mojaloop/iac/roles/argocd/templates/argo-cm.yaml.j2 b/mojaloop/iac/roles/argocd/templates/argo-cm.yaml.j2
index c93fd6b1..1cad4892 100644
--- a/mojaloop/iac/roles/argocd/templates/argo-cm.yaml.j2
+++ b/mojaloop/iac/roles/argocd/templates/argo-cm.yaml.j2
@@ -2,6 +2,19 @@ apiVersion: v1
 data:
   ui.bannercontent: "initial attempt at deployment of argo with plugins"
   ui.bannerpermanent: "true"
+  resource.customizations.health.argoproj.io_Application: |
+    hs = {}
+    hs.status = "Progressing"
+    hs.message = ""
+    if obj.status ~= nil then
+      if obj.status.health ~= nil then
+        hs.status = obj.status.health.status
+        if obj.status.health.message ~= nil then
+          hs.message = obj.status.health.message
+        end
+      end
+    end
+    return hs 
 kind: ConfigMap
 metadata:
   labels: