Skip to content

Commit

Permalink
Merge pull request #2 from jessebot/add-more-helm-docs
Browse files Browse the repository at this point in the history
fix secret mounts to be readonly and optional; fix typo in docker image name; allow existingSecrets for both token and vars, add more helm docs
  • Loading branch information
cloudymax authored Aug 6, 2023
2 parents b22480c + 16e89b7 commit c2f003b
Show file tree
Hide file tree
Showing 15 changed files with 132 additions and 44 deletions.
9 changes: 5 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,11 +31,12 @@ metadata:
namespace: argocd
labels:
app.kubernetes.io/part-of: argocd
type: Opaque
type: stringData
data:
# The secret value must be base64 encoded **once**.
# This value corresponds to: `printf "beepboop" | base64`.
app_name: "YmVlcGJvb3A="
secret_vars.yaml: |
# The secret value must be base64 encoded **once**.
# This value corresponds to: `printf "beepboop" | base64`.
app_name: "YmVlcGJvb3A="
```
Here's an example ApplicationSet, using the secret plugin generator, to apply:
Expand Down
4 changes: 2 additions & 2 deletions charts/argocd-appset-secret-plugin/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,10 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.1
version: 0.2.0

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "0.1.1"
appVersion: "0.1.2"
12 changes: 7 additions & 5 deletions charts/argocd-appset-secret-plugin/README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# argocd-appset-secret-plugin

![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.1](https://img.shields.io/badge/AppVersion-0.1.1-informational?style=flat-square)
![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.2](https://img.shields.io/badge/AppVersion-0.1.2-informational?style=flat-square)

A Helm chart for adding a K8s Secret Plugin Generator to ApplicationSets

Expand All @@ -21,22 +21,24 @@ A Helm chart for adding a K8s Secret Plugin Generator to ApplicationSets
| autoscaling.targetCPUUtilizationPercentage | int | `80` | |
| fullnameOverride | string | `""` | |
| image.pullPolicy | string | `"IfNotPresent"` | image pullPolicy for the main container |
| image.repository | string | `"jessebot/appset-secret-generator-plugin"` | image repo to use for the docker container |
| image.repository | string | `"jessebot/argocd-appset-secret-plugin"` | image repo to use for the docker container |
| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. |
| imagePullSecrets | list | `[]` | |
| nameOverride | string | `""` | |
| nodeSelector | object | `{}` | |
| nameOverride | string | `""` | override the autogenerated name of this helm chart release |
| nodeSelector | object | `{}` | deploy chart to a specific k8s node |
| podAnnotations | object | `{}` | any additional annotations you'd like the pod to have |
| podSecurityContext | object | `{}` | securityContext for the pod: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
| replicaCount | int | `1` | number of replica pods to create |
| resources | object | `{}` | |
| secretVars.existingSecret | string | `""` | the name of an existing secret to use for the secret keys to provide to applicationSets via the plugin generator |
| securityContext | object | `{}` | securityContext for the container: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
| service.port | int | `80` | service port to expose on the cluster |
| service.targetPort | int | `4355` | service target port on the container |
| service.type | string | `"ClusterIP"` | |
| service.type | string | `"ClusterIP"` | type for the service, only ClusterIP is tested |
| serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
| serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
| token.existingSecret | string | `""` | the name of an existing secret to use for the token that argoCD and the plugin will use for communication |
| tolerations | list | `[]` | |

----------------------------------------------
Expand Down
24 changes: 23 additions & 1 deletion charts/argocd-appset-secret-plugin/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,29 @@ Create the name of the service account to use
{{- define "argocd-appset-secret-plugin.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "argocd-appset-secret-plugin.fullname" .) .Values.serviceAccount.name }}
{{- end }}
{{- end }}

{{/*
Create the name of the token secret to use: either from an existing secret
or the fullname of the chart + "-token"
*/}}
{{- define "argocd-appset-secret-plugin.tokenSecret" -}}
{{- if not .Values.token.existingSecret }}
{{- printf "%s-token" (include "argocd-appset-secret-plugin.fullname" .) }}
{{- else }}
{{ .Values.token.existingSecret }}
{{- end }}
{{- end }}

{{/*
Create the name of the vars secret to use: either from an existing secret
or the fullname of the chart + "-secret-vars"
*/}}
{{- define "argocd-appset-secret-plugin.varSecret" -}}
{{- if not .Values.secretVars.existingSecret }}
{{- printf "%s-secret-vars" (include "argocd-appset-secret-plugin.fullname" .) }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{ .Values.secretVars.existingSecret }}
{{- end }}
{{- end }}
26 changes: 10 additions & 16 deletions charts/argocd-appset-secret-plugin/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -39,28 +39,22 @@ spec:
protocol: TCP
volumeMounts:
- name: token
mountPath: "/var/run/argo/token"
subPath: token
- name: allowed-env-vars
mountPath: "/var/run/argo/secret_vars.yaml"
subPath: secret_vars.yaml
livenessProbe:
httpGet:
path: /
port: http
readinessProbe:
httpGet:
path: /
port: http
mountPath: "/var/run/argocd/token"
subPath: "token"
readOnly: true
- name: secret-vars
mountPath: "/var/run/secret-plugin/secret_vars.yaml"
subPath: "secret_vars.yaml"
readOnly: true
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumes:
- name: token
secret:
secretName: {{ include "argocd-appset-secret-plugin.fullname" . }}-token
- name: allowed-env-vars
secretName: "{{ include "argocd-appset-secret-plugin.tokenSecret" . }}"
- name: secret-vars
secret:
secretName: argocd-env-vars
secretName: "{{ include "argocd-appset-secret-plugin.varSecret" . }}"
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
Expand Down
Original file line number Diff line number Diff line change
@@ -1,9 +1,12 @@
{{- if not .Values.token.existingSecret }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "argocd-appset-secret-plugin.fullname" . }}-token
labels:
{{- include "argocd-appset-secret-plugin.labels" . | nindent 4 }}
type: Opaque
data:
token: {{ randAlphaNum 32 }}
token: {{ randAlphaNum 32 | b64enc | quote }}

{{- end }}
12 changes: 12 additions & 0 deletions charts/argocd-appset-secret-plugin/templates/test_ci_secret.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{{- if not .Values.secretVars.existingSecret }}
---
apiVersion: v1
kind: Secret
metadata:
name: {{ include "argocd-appset-secret-plugin.fullname" . }}-secret-vars
labels:
app.kubernetes.io/part-of: argocd
stringData:
secret_vars.yaml: |
app_name: "cool_app"
{{- end }}
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: test-connection
data:
curl_script.sh: |
curl http://{{ include "argocd-appset-secret-plugin.fullname" . }}/api/v1/getparams.execute -H "Content-type:application/json" -H "Authorization: Bearer $TOKEN" -d '{"applicationSetName": "fake-appset", "input": {"parameters": {"secret_vars": ["app_name"]}}}'
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,26 @@ metadata:
"helm.sh/hook": test
spec:
containers:
- name: wget
image: busybox
command: ['wget']
args: ['{{ include "argocd-appset-secret-plugin.fullname" . }}:{{ .Values.service.port }}']
- name: curl
image: curlimages/curl
command: ['/bin/sh']
args:
- "-c"
- "/testing/curl_script.sh"
env:
- name: "TOKEN"
valueFrom:
secretKeyRef:
name: '{{ include "argocd-appset-secret-plugin.tokenSecret" . }}'
key: token
volumeMounts:
- name: curl-script
mountPath: "/testing"
readOnly: false
volumes:
- name: curl-script
configMap:
name: test-connection
defaultMode: 0777

restartPolicy: Never
13 changes: 12 additions & 1 deletion charts/argocd-appset-secret-plugin/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,16 +7,25 @@ replicaCount: 1

image:
# -- image repo to use for the docker container
repository: jessebot/appset-secret-generator-plugin
repository: jessebot/argocd-appset-secret-plugin
# -- image pullPolicy for the main container
pullPolicy: IfNotPresent
# -- Overrides the image tag whose default is the chart appVersion.
tag: ""

imagePullSecrets: []
# -- override the autogenerated name of this helm chart release
nameOverride: ""
fullnameOverride: ""

secretVars:
# -- the name of an existing secret to use for the secret keys to provide to applicationSets via the plugin generator
existingSecret: ""

token:
# -- the name of an existing secret to use for the token that argoCD and the plugin will use for communication
existingSecret: ""

serviceAccount:
# -- Specifies whether a service account should be created
create: true
Expand All @@ -43,6 +52,7 @@ securityContext: {}
# runAsUser: 1000

service:
# -- type for the service, only ClusterIP is tested
type: ClusterIP
# -- service port to expose on the cluster
port: 80
Expand All @@ -69,6 +79,7 @@ autoscaling:
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80

# -- deploy chart to a specific k8s node
nodeSelector: {}

tolerations: []
Expand Down
6 changes: 3 additions & 3 deletions docker/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ docker build . -t jessebot/argocd-appset-secret-plugin:dev

Generate a fake token
```bash
openssl rand -base64 12 > token && export PLUGIN_TOKEN=`/bin/cat token`
openssl rand -base64 12 > token && export TOKEN=`/bin/cat token`
```

Create some test values you'd like to get in your fake ApplicationSet:
Expand All @@ -25,7 +25,7 @@ Run the docker container:

```bash
docker run \
-v ./secret_vars.yaml:/var/run/argocd/secret_vars.yaml \
-v ./secret_vars.yaml:/var/run/secret-plugin/secret_vars.yaml \
-v ./token:/var/run/argocd/token \
-p 4355:4355 \
jessebot/argocd-appset-secret-plugin:dev
Expand All @@ -34,7 +34,7 @@ docker run \
Send a request for a vairable in your secret_vars.yaml:

```bash
curl http://localhost:4355/api/v1/getparams.execute -H "Authorization: Bearer $PLUGIN_TOKEN" -d \
curl http://localhost:4355/api/v1/getparams.execute -H "Authorization: Bearer $TOKEN" -d \
'{
"applicationSetName": "fake-appset",
"input": {
Expand Down
2 changes: 1 addition & 1 deletion docker/main.py
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
with open("/var/run/argocd/token") as f:
TOKEN = f.read().strip()

with open("/var/run/argocd/secret_vars.yaml") as yaml_file:
with open("/var/run/secret-plugin/secret_vars.yaml") as yaml_file:
SECRET_VARS = yaml.safe_load(yaml_file)

class Plugin(BaseHTTPRequestHandler):
Expand Down
17 changes: 17 additions & 0 deletions docker/pyproject.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
[tool.poetry]
name = "argocd-appset-secret-plugin"
version = "0.1.2"
description = "a K8s Secret Plugin Generator to ApplicationSets in Argo CD"
authors = ["jessebot <[email protected]>"]
license = "Apache-2.0"
readme = "README.md"
packages = [{include = "argocd_appset_secret_plugin"}]

[tool.poetry.dependencies]
python = "^3.11"
PyYAML = "^6.0.1"


[build-system]
requires = ["poetry-core"]
build-backend = "poetry.core.masonry.api"
9 changes: 5 additions & 4 deletions example/appset_and_secret.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,16 @@
apiVersion: v1
kind: Secret
metadata:
name: argocd-env-vars
name: argocd-secret-vars
namespace: argocd
labels:
app.kubernetes.io/part-of: argocd
type: Opaque
data:
# The secret value must be base64 encoded **once**.
# This value corresponds to: `printf "beepboop" | base64`.
app_name: "YmVlcGJvb3A="
secret_vars.yaml: |
# The secret value must be base64 encoded **once**.
# This value corresponds to: `printf "beepboop" | base64`.
app_name: "YmVlcGJvb3A="
---
apiVersion: argoproj.io/v1alpha1
Expand Down
4 changes: 2 additions & 2 deletions kustomize/manifests/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,8 @@ spec:
mountPath: "/var/run/argocd/token"
subPath: "token"
- name: argocd-secret-vars
mountPath: "/var/run/argocd/secret-vars.yaml"
subPath: "secret-vars.yaml"
mountPath: "/var/run/argocd/secret_vars.yaml"
subPath: "secret_vars.yaml"
volumes:
- name: token
secret:
Expand Down

0 comments on commit c2f003b

Please sign in to comment.