The latest articles on The Ops Community ⚙️ by César M. Cristóbal (@jilgue). https://community.ops.io/jilgue https://community.ops.io/images/Yu9r3qjde_xc3rXIbjYtHrlWetOZMgJWcskLiz5tz0w/rs:fill:90:90/g:sm/mb:500000/ar:1/aHR0cHM6Ly9jb21t/dW5pdHkub3BzLmlv/L3JlbW90ZWltYWdl/cy91cGxvYWRzL3Vz/ZXIvcHJvZmlsZV9p/bWFnZS8zOTcvZjRh/ZTE0YTYtOWE3NS00/MmI2LTkyYmEtZWE2/OWJlYjk2NWFmLmpw/Zw https://community.ops.io/jilgue en César M. Cristóbal Wed, 07 Sep 2022 06:43:48 +0000 https://community.ops.io/jilgue/secrets-in-argocd-with-sops-pa6 https://community.ops.io/jilgue/secrets-in-argocd-with-sops-pa6 <p><a href="https://argoproj.github.io/cd/">ArgoCD</a> is a tool that implements the gitops philosophy for deploying applications on Kubernetes. It is a declarative, Git-based deployment system that uses a simple, human-readable manifest file to define the desired state of your application. In this article, we will explore how to use ArgoCD with <a href="https://github.com/mozilla/sops">Sops</a> to manage secrets in a gitops workflow.</p> <p>We are using <a href="https://github.com/mozilla/sops#encrypting-using-gcp-kms">sops with GCP KMS</a>, the first thing we need is a service account with the role <code>roles/cloudkms.cryptoKeyDecrypter</code> and create a secret on Kubernetes:</p> <p><code>kubectl create secret generic kms-sa --from-file sa.json</code></p> <p>The idea is to use Argo <a href="https://argo-cd.readthedocs.io/en/stable/user-guide/config-management-plugins/">Config Management Plugin</a> to decrypt the secret and generate a plane yaml with all Kubernetes objects (deployment, services, ...) and use <a href="https://argo-cd.readthedocs.io/en/stable/operator-manual/custom_tools/">Cumstom Tooling</a> to install Sops and other tools needed.</p> <p>In the process we have encountered several problems, and one of them is that it is necessary to use yq to properly format the output yamls and avoid errors such like: <code>error converting YAML to JSON: yaml: line 4: did not find expected ',' or ']'.</code></p> <p>These are the values to install argo-cd by Helm. The configuration assumes that all secrets are in the <code>secrets.enc</code> file encoded with yaml.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">server</span><span class="pi">:</span> <span class="na">config</span><span class="pi">:</span> <span class="na">configManagementPlugins</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">- name: sops</span> <span class="s">init:</span> <span class="s">command: ["/bin/sh", "-c"]</span> <span class="s">args: ["if [ -f 'secrets.enc' ]; then echo '---' &gt; secrets.yaml &amp;&amp; sops -d --input-type yaml --output-type yaml secrets.enc &gt;&gt; secrets.yaml; fi"]</span> <span class="s">generate:</span> <span class="s">command: ["/bin/sh", "-c"]</span> <span class="s">args: ["cat *.yaml | yq"]</span> <span class="na">repoServer</span><span class="pi">:</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">custom-tools</span> <span class="na">emptyDir</span><span class="pi">:</span> <span class="pi">{}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kms-sa</span> <span class="na">secret</span><span class="pi">:</span> <span class="na">secretName</span><span class="pi">:</span> <span class="s">kms-sa</span> <span class="na">items</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">key</span><span class="pi">:</span> <span class="s">sa.json</span> <span class="na">path</span><span class="pi">:</span> <span class="s">sa.json</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/usr/local/bin/sops</span> <span class="na">name</span><span class="pi">:</span> <span class="s">custom-tools</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">sops</span> <span class="pi">-</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/usr/local/bin/jq</span> <span class="na">name</span><span class="pi">:</span> <span class="s">custom-tools</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">jq</span> <span class="pi">-</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/usr/local/bin/yq</span> <span class="na">name</span><span class="pi">:</span> <span class="s">custom-tools</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">yq</span> <span class="pi">-</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/etc/secrets/sa.json</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kms-sa</span> <span class="na">subPath</span><span class="pi">:</span> <span class="s">sa.json</span> <span class="na">env</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">GOOGLE_APPLICATION_CREDENTIALS</span> <span class="na">value</span><span class="pi">:</span> <span class="s">/etc/secrets/sa.json</span> <span class="na">initContainers</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">custom-tools</span> <span class="na">image</span><span class="pi">:</span> <span class="s">alpine:3.8</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">/bin/sh"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">-c"</span><span class="pi">]</span> <span class="na">args</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">wget https://github.com/mozilla/sops/releases/download/v3.7.3/sops-v3.7.3.linux.amd64 -O /custom-tools/sops;</span> <span class="s">chmod a+x /custom-tools/sops;</span> <span class="s">wget https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 -O /custom-tools/jq;</span> <span class="s">chmod a+x /custom-tools/jq;</span> <span class="s">wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /custom-tools/yq;</span> <span class="s">chmod +x /custom-tools/yq;</span> <span class="na">volumeMounts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">mountPath</span><span class="pi">:</span> <span class="s">/custom-tools</span> <span class="na">name</span><span class="pi">:</span> <span class="s">custom-tools</span> </code></pre> </div> <p><code>helm upgrade sops argo/argo-cd --values values-sops.yaml</code></p> <p>And an application example to try it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">argoproj.io/v1alpha1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Application</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">secrets</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">argocd</span> <span class="na">spec</span><span class="pi">:</span> <span class="na">project</span><span class="pi">:</span> <span class="s">default</span> <span class="na">source</span><span class="pi">:</span> <span class="na">repoURL</span><span class="pi">:</span> <span class="s">https://github.com/Callepuzzle/manifests</span> <span class="na">targetRevision</span><span class="pi">:</span> <span class="s">main</span> <span class="na">path</span><span class="pi">:</span> <span class="s">poc-argocd</span> <span class="na">plugin</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">sops</span> <span class="na">destination</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">'</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s1">'</span><span class="s">'</span> <span class="na">server</span><span class="pi">:</span> <span class="s1">'</span><span class="s">https://kubernetes.default.svc'</span> </code></pre> </div> tutorials kubernetes secops cicd