|
18 | 18 | # 2. Use an init container to download/copy custom binaries into the emptyDir |
19 | 19 | initContainers: |
20 | 20 | - name: install-ksops |
21 | | - image: viaductoss/ksops:v4.1.1 |
| 21 | + image: viaductoss/ksops:v4.3.3 |
22 | 22 | command: ["/bin/sh", "-c"] |
23 | 23 | args: |
24 | 24 | - echo "Installing KSOPS..."; |
|
28 | 28 | volumeMounts: |
29 | 29 | - mountPath: /custom-tools |
30 | 30 | name: custom-tools |
| 31 | + - name: install-custom-tools |
| 32 | + image: alpine:latest |
| 33 | + imagePullPolicy: IfNotPresent |
| 34 | + command: [sh, -ec] |
| 35 | + env: |
| 36 | + - name: HELM_SECRETS_VERSION |
| 37 | + value: "4.6.3" |
| 38 | + - name: KUBECTL_VERSION |
| 39 | + value: "1.30.2" |
| 40 | + - name: VALS_VERSION |
| 41 | + value: "0.39.3" |
| 42 | + - name: SOPS_VERSION |
| 43 | + value: "3.9.4" |
| 44 | + args: |
| 45 | + - | |
| 46 | + mkdir -p /custom-tools/helm-plugins |
| 47 | +
|
| 48 | + GO_ARCH=$(uname -m | sed -e 's/x86_64/amd64/') |
| 49 | + wget -qO /custom-tools/curl https://github.com/moparisthebest/static-curl/releases/latest/download/curl-${GO_ARCH} |
| 50 | +
|
| 51 | + GO_ARCH=$(uname -m | sed -e 's/x86_64/amd64/' -e 's/\(arm\)\(64\)\?.*/\1\2/' -e 's/aarch64$/arm64/') && \ |
| 52 | + wget -qO /custom-tools/kubectl https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${GO_ARCH}/kubectl |
| 53 | + wget -qO /custom-tools/sops https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux.${GO_ARCH} |
| 54 | + wget -qO- https://github.com/helmfile/vals/releases/download/v${VALS_VERSION}/vals_${VALS_VERSION}_linux_${GO_ARCH}.tar.gz | tar zxv -C /custom-tools vals |
| 55 | + wget -qO- https://github.com/jkroepke/helm-secrets/releases/download/v${HELM_SECRETS_VERSION}/helm-secrets.tar.gz | tar -C /custom-tools/helm-plugins -xzf- |
| 56 | +
|
| 57 | + chmod +x /custom-tools/* |
| 58 | + cp /custom-tools/helm-plugins/helm-secrets/scripts/wrapper/helm.sh /custom-tools/helm |
| 59 | + volumeMounts: |
| 60 | + - mountPath: /custom-tools |
| 61 | + name: custom-tools |
31 | 62 | # Import the private gpg key from the secret into argocd |
32 | 63 | - name: import-gpg-key |
33 | 64 | image: argoproj/argocd:v2.5.0 |
|
49 | 80 | - secretRef: |
50 | 81 | name: "sops-age" |
51 | 82 | optional: true |
| 83 | + env: |
| 84 | + - name: HELM_PLUGINS |
| 85 | + value: /custom-tools/helm-plugins/ |
| 86 | + - name: HELM_SECRETS_CURL_PATH |
| 87 | + value: /custom-tools/curl |
| 88 | + - name: HELM_SECRETS_SOPS_PATH |
| 89 | + value: /custom-tools/sops |
| 90 | + - name: HELM_SECRETS_VALS_PATH |
| 91 | + value: /custom-tools/vals |
| 92 | + - name: HELM_SECRETS_KUBECTL_PATH |
| 93 | + value: /custom-tools/kubectl |
| 94 | + - name: HELM_SECRETS_BACKEND |
| 95 | + value: sops |
| 96 | + # https://github.com/jkroepke/helm-secrets/wiki/Security-in-shared-environments |
| 97 | + - name: HELM_SECRETS_VALUES_ALLOW_SYMLINKS |
| 98 | + value: "false" |
| 99 | + - name: HELM_SECRETS_VALUES_ALLOW_ABSOLUTE_PATH |
| 100 | + value: "true" |
| 101 | + - name: HELM_SECRETS_VALUES_ALLOW_PATH_TRAVERSAL |
| 102 | + value: "false" |
| 103 | + - name: HELM_SECRETS_WRAPPER_ENABLED |
| 104 | + value: "true" |
| 105 | + - name: HELM_SECRETS_DECRYPT_SECRETS_IN_TMP_DIR |
| 106 | + value: "true" |
| 107 | + - name: HELM_SECRETS_HELM_PATH |
| 108 | + value: /usr/local/bin/helm |
| 109 | + - name: HELM_SECRETS_LOAD_GPG_KEYS |
| 110 | + value: /sops-gpg/sops.asc |
52 | 111 | volumeMounts: |
| 112 | + - mountPath: /custom-tools |
| 113 | + name: custom-tools |
| 114 | + - mountPath: /usr/local/sbin/helm |
| 115 | + subPath: helm |
| 116 | + name: custom-tools |
53 | 117 | - mountPath: /usr/local/bin/kustomize |
54 | 118 | name: custom-tools |
55 | 119 | subPath: kustomize |
|
0 commit comments