diff --git a/README.md b/README.md index 8e55802..86315f0 100644 --- a/README.md +++ b/README.md @@ -31,11 +31,12 @@ metadata: namespace: argocd labels: app.kubernetes.io/part-of: argocd -type: Opaque +type: stringData data: - # The secret value must be base64 encoded **once**. - # This value corresponds to: `printf "beepboop" | base64`. - app_name: "YmVlcGJvb3A=" + secret_vars.yaml: | + # The secret value must be base64 encoded **once**. + # This value corresponds to: `printf "beepboop" | base64`. + app_name: "YmVlcGJvb3A=" ``` Here's an example ApplicationSet, using the secret plugin generator, to apply: diff --git a/charts/argocd-appset-secret-plugin/Chart.yaml b/charts/argocd-appset-secret-plugin/Chart.yaml index 30b3d08..64f04c9 100644 --- a/charts/argocd-appset-secret-plugin/Chart.yaml +++ b/charts/argocd-appset-secret-plugin/Chart.yaml @@ -19,10 +19,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.1 +version: 0.2.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.1.1" +appVersion: "0.1.2" diff --git a/charts/argocd-appset-secret-plugin/README.md b/charts/argocd-appset-secret-plugin/README.md index 4d109aa..7debffd 100644 --- a/charts/argocd-appset-secret-plugin/README.md +++ b/charts/argocd-appset-secret-plugin/README.md @@ -1,6 +1,6 @@ # argocd-appset-secret-plugin -![Version: 0.1.1](https://img.shields.io/badge/Version-0.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.1](https://img.shields.io/badge/AppVersion-0.1.1-informational?style=flat-square) +![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.2](https://img.shields.io/badge/AppVersion-0.1.2-informational?style=flat-square) A Helm chart for adding a K8s Secret Plugin Generator to ApplicationSets @@ -21,22 +21,24 @@ A Helm chart for adding a K8s Secret Plugin Generator to ApplicationSets | autoscaling.targetCPUUtilizationPercentage | int | `80` | | | fullnameOverride | string | `""` | | | image.pullPolicy | string | `"IfNotPresent"` | image pullPolicy for the main container | -| image.repository | string | `"jessebot/appset-secret-generator-plugin"` | image repo to use for the docker container | +| image.repository | string | `"jessebot/argocd-appset-secret-plugin"` | image repo to use for the docker container | | image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. | | imagePullSecrets | list | `[]` | | -| nameOverride | string | `""` | | -| nodeSelector | object | `{}` | | +| nameOverride | string | `""` | override the autogenerated name of this helm chart release | +| nodeSelector | object | `{}` | deploy chart to a specific k8s node | | podAnnotations | object | `{}` | any additional annotations you'd like the pod to have | | podSecurityContext | object | `{}` | securityContext for the pod: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ | | replicaCount | int | `1` | number of replica pods to create | | resources | object | `{}` | | +| secretVars.existingSecret | string | `""` | the name of an existing secret to use for the secret keys to provide to applicationSets via the plugin generator | | securityContext | object | `{}` | securityContext for the container: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ | | service.port | int | `80` | service port to expose on the cluster | | service.targetPort | int | `4355` | service target port on the container | -| service.type | string | `"ClusterIP"` | | +| service.type | string | `"ClusterIP"` | type for the service, only ClusterIP is tested | | serviceAccount.annotations | object | `{}` | Annotations to add to the service account | | serviceAccount.create | bool | `true` | Specifies whether a service account should be created | | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | +| token.existingSecret | string | `""` | the name of an existing secret to use for the token that argoCD and the plugin will use for communication | | tolerations | list | `[]` | | ---------------------------------------------- diff --git a/charts/argocd-appset-secret-plugin/templates/_helpers.tpl b/charts/argocd-appset-secret-plugin/templates/_helpers.tpl index 11ca070..f287b37 100644 --- a/charts/argocd-appset-secret-plugin/templates/_helpers.tpl +++ b/charts/argocd-appset-secret-plugin/templates/_helpers.tpl @@ -56,7 +56,29 @@ Create the name of the service account to use {{- define "argocd-appset-secret-plugin.serviceAccountName" -}} {{- if .Values.serviceAccount.create }} {{- default (include "argocd-appset-secret-plugin.fullname" .) .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Create the name of the token secret to use: either from an existing secret +or the fullname of the chart + "-token" +*/}} +{{- define "argocd-appset-secret-plugin.tokenSecret" -}} +{{- if not .Values.token.existingSecret }} +{{- printf "%s-token" (include "argocd-appset-secret-plugin.fullname" .) }} +{{- else }} +{{ .Values.token.existingSecret }} +{{- end }} +{{- end }} + +{{/* +Create the name of the vars secret to use: either from an existing secret +or the fullname of the chart + "-secret-vars" +*/}} +{{- define "argocd-appset-secret-plugin.varSecret" -}} +{{- if not .Values.secretVars.existingSecret }} +{{- printf "%s-secret-vars" (include "argocd-appset-secret-plugin.fullname" .) }} {{- else }} -{{- default "default" .Values.serviceAccount.name }} +{{ .Values.secretVars.existingSecret }} {{- end }} {{- end }} diff --git a/charts/argocd-appset-secret-plugin/templates/deployment.yaml b/charts/argocd-appset-secret-plugin/templates/deployment.yaml index 7d36435..4a65054 100644 --- a/charts/argocd-appset-secret-plugin/templates/deployment.yaml +++ b/charts/argocd-appset-secret-plugin/templates/deployment.yaml @@ -39,28 +39,22 @@ spec: protocol: TCP volumeMounts: - name: token - mountPath: "/var/run/argo/token" - subPath: token - - name: allowed-env-vars - mountPath: "/var/run/argo/secret_vars.yaml" - subPath: secret_vars.yaml - livenessProbe: - httpGet: - path: / - port: http - readinessProbe: - httpGet: - path: / - port: http + mountPath: "/var/run/argocd/token" + subPath: "token" + readOnly: true + - name: secret-vars + mountPath: "/var/run/secret-plugin/secret_vars.yaml" + subPath: "secret_vars.yaml" + readOnly: true resources: {{- toYaml .Values.resources | nindent 12 }} volumes: - name: token secret: - secretName: {{ include "argocd-appset-secret-plugin.fullname" . }}-token - - name: allowed-env-vars + secretName: "{{ include "argocd-appset-secret-plugin.tokenSecret" . }}" + - name: secret-vars secret: - secretName: argocd-env-vars + secretName: "{{ include "argocd-appset-secret-plugin.varSecret" . }}" {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/argocd-appset-secret-plugin/templates/secret-token.yaml b/charts/argocd-appset-secret-plugin/templates/secret-token.yaml index a49e24d..b48431f 100644 --- a/charts/argocd-appset-secret-plugin/templates/secret-token.yaml +++ b/charts/argocd-appset-secret-plugin/templates/secret-token.yaml @@ -1,9 +1,12 @@ +{{- if not .Values.token.existingSecret }} apiVersion: v1 kind: Secret metadata: name: {{ include "argocd-appset-secret-plugin.fullname" . }}-token labels: {{- include "argocd-appset-secret-plugin.labels" . | nindent 4 }} +type: Opaque data: - token: {{ randAlphaNum 32 }} + token: {{ randAlphaNum 32 | b64enc | quote }} +{{- end }} diff --git a/charts/argocd-appset-secret-plugin/templates/test_ci_secret.yaml b/charts/argocd-appset-secret-plugin/templates/test_ci_secret.yaml new file mode 100644 index 0000000..cc5ce00 --- /dev/null +++ b/charts/argocd-appset-secret-plugin/templates/test_ci_secret.yaml @@ -0,0 +1,12 @@ +{{- if not .Values.secretVars.existingSecret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "argocd-appset-secret-plugin.fullname" . }}-secret-vars + labels: + app.kubernetes.io/part-of: argocd +stringData: + secret_vars.yaml: | + app_name: "cool_app" +{{- end }} diff --git a/charts/argocd-appset-secret-plugin/templates/tests/test-configmap.yaml b/charts/argocd-appset-secret-plugin/templates/tests/test-configmap.yaml new file mode 100644 index 0000000..86e2c6f --- /dev/null +++ b/charts/argocd-appset-secret-plugin/templates/tests/test-configmap.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: test-connection +data: + curl_script.sh: | + curl http://{{ include "argocd-appset-secret-plugin.fullname" . }}/api/v1/getparams.execute -H "Content-type:application/json" -H "Authorization: Bearer $TOKEN" -d '{"applicationSetName": "fake-appset", "input": {"parameters": {"secret_vars": ["app_name"]}}}' diff --git a/charts/argocd-appset-secret-plugin/templates/tests/test-connection.yaml b/charts/argocd-appset-secret-plugin/templates/tests/test-connection.yaml index b4784b0..576a9f0 100644 --- a/charts/argocd-appset-secret-plugin/templates/tests/test-connection.yaml +++ b/charts/argocd-appset-secret-plugin/templates/tests/test-connection.yaml @@ -8,8 +8,26 @@ metadata: "helm.sh/hook": test spec: containers: - - name: wget - image: busybox - command: ['wget'] - args: ['{{ include "argocd-appset-secret-plugin.fullname" . }}:{{ .Values.service.port }}'] + - name: curl + image: curlimages/curl + command: ['/bin/sh'] + args: + - "-c" + - "/testing/curl_script.sh" + env: + - name: "TOKEN" + valueFrom: + secretKeyRef: + name: '{{ include "argocd-appset-secret-plugin.tokenSecret" . }}' + key: token + volumeMounts: + - name: curl-script + mountPath: "/testing" + readOnly: false + volumes: + - name: curl-script + configMap: + name: test-connection + defaultMode: 0777 + restartPolicy: Never diff --git a/charts/argocd-appset-secret-plugin/values.yaml b/charts/argocd-appset-secret-plugin/values.yaml index 2c13250..d916a86 100644 --- a/charts/argocd-appset-secret-plugin/values.yaml +++ b/charts/argocd-appset-secret-plugin/values.yaml @@ -7,16 +7,25 @@ replicaCount: 1 image: # -- image repo to use for the docker container - repository: jessebot/appset-secret-generator-plugin + repository: jessebot/argocd-appset-secret-plugin # -- image pullPolicy for the main container pullPolicy: IfNotPresent # -- Overrides the image tag whose default is the chart appVersion. tag: "" imagePullSecrets: [] +# -- override the autogenerated name of this helm chart release nameOverride: "" fullnameOverride: "" +secretVars: + # -- the name of an existing secret to use for the secret keys to provide to applicationSets via the plugin generator + existingSecret: "" + +token: + # -- the name of an existing secret to use for the token that argoCD and the plugin will use for communication + existingSecret: "" + serviceAccount: # -- Specifies whether a service account should be created create: true @@ -43,6 +52,7 @@ securityContext: {} # runAsUser: 1000 service: + # -- type for the service, only ClusterIP is tested type: ClusterIP # -- service port to expose on the cluster port: 80 @@ -69,6 +79,7 @@ autoscaling: targetCPUUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80 +# -- deploy chart to a specific k8s node nodeSelector: {} tolerations: [] diff --git a/docker/README.md b/docker/README.md index 7ab9362..a7d7e40 100644 --- a/docker/README.md +++ b/docker/README.md @@ -12,7 +12,7 @@ docker build . -t jessebot/argocd-appset-secret-plugin:dev Generate a fake token ```bash -openssl rand -base64 12 > token && export PLUGIN_TOKEN=`/bin/cat token` +openssl rand -base64 12 > token && export TOKEN=`/bin/cat token` ``` Create some test values you'd like to get in your fake ApplicationSet: @@ -25,7 +25,7 @@ Run the docker container: ```bash docker run \ - -v ./secret_vars.yaml:/var/run/argocd/secret_vars.yaml \ + -v ./secret_vars.yaml:/var/run/secret-plugin/secret_vars.yaml \ -v ./token:/var/run/argocd/token \ -p 4355:4355 \ jessebot/argocd-appset-secret-plugin:dev @@ -34,7 +34,7 @@ docker run \ Send a request for a vairable in your secret_vars.yaml: ```bash -curl http://localhost:4355/api/v1/getparams.execute -H "Authorization: Bearer $PLUGIN_TOKEN" -d \ +curl http://localhost:4355/api/v1/getparams.execute -H "Authorization: Bearer $TOKEN" -d \ '{ "applicationSetName": "fake-appset", "input": { diff --git a/docker/main.py b/docker/main.py index 8cc6843..7d44cdb 100644 --- a/docker/main.py +++ b/docker/main.py @@ -13,7 +13,7 @@ with open("/var/run/argocd/token") as f: TOKEN = f.read().strip() -with open("/var/run/argocd/secret_vars.yaml") as yaml_file: +with open("/var/run/secret-plugin/secret_vars.yaml") as yaml_file: SECRET_VARS = yaml.safe_load(yaml_file) class Plugin(BaseHTTPRequestHandler): diff --git a/docker/pyproject.toml b/docker/pyproject.toml new file mode 100644 index 0000000..b1d2779 --- /dev/null +++ b/docker/pyproject.toml @@ -0,0 +1,17 @@ +[tool.poetry] +name = "argocd-appset-secret-plugin" +version = "0.1.2" +description = "a K8s Secret Plugin Generator to ApplicationSets in Argo CD" +authors = ["jessebot "] +license = "Apache-2.0" +readme = "README.md" +packages = [{include = "argocd_appset_secret_plugin"}] + +[tool.poetry.dependencies] +python = "^3.11" +PyYAML = "^6.0.1" + + +[build-system] +requires = ["poetry-core"] +build-backend = "poetry.core.masonry.api" diff --git a/example/appset_and_secret.yaml b/example/appset_and_secret.yaml index d6d5d13..7b25b7b 100644 --- a/example/appset_and_secret.yaml +++ b/example/appset_and_secret.yaml @@ -2,15 +2,16 @@ apiVersion: v1 kind: Secret metadata: - name: argocd-env-vars + name: argocd-secret-vars namespace: argocd labels: app.kubernetes.io/part-of: argocd type: Opaque data: - # The secret value must be base64 encoded **once**. - # This value corresponds to: `printf "beepboop" | base64`. - app_name: "YmVlcGJvb3A=" + secret_vars.yaml: | + # The secret value must be base64 encoded **once**. + # This value corresponds to: `printf "beepboop" | base64`. + app_name: "YmVlcGJvb3A=" --- apiVersion: argoproj.io/v1alpha1 diff --git a/kustomize/manifests/deployment.yaml b/kustomize/manifests/deployment.yaml index 41420d4..e12bb57 100644 --- a/kustomize/manifests/deployment.yaml +++ b/kustomize/manifests/deployment.yaml @@ -28,8 +28,8 @@ spec: mountPath: "/var/run/argocd/token" subPath: "token" - name: argocd-secret-vars - mountPath: "/var/run/argocd/secret-vars.yaml" - subPath: "secret-vars.yaml" + mountPath: "/var/run/argocd/secret_vars.yaml" + subPath: "secret_vars.yaml" volumes: - name: token secret: