diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..61160d5 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,30 @@ +FROM argoproj/argocd:v1.8.3 as base + +ARG HELM_SECRETS_VERSION="3.4.1" +USER root +RUN apt-get update --allow-insecure-repositories --allow-unauthenticated && \ + apt-get install -y \ + curl \ + gpg && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* + +FROM mozilla/sops:v3.6.1 as sops +# better to grab from the docker image, even though it seems crazy, it's so renovate can give us PRs! + +FROM base as addwrapper +COPY helm-wrapper.sh /usr/local/bin/ +COPY --from=sops /go/bin/sops /usr/local/bin/ +USER root +RUN cd /usr/local/bin && \ + mv helm helm.bin && \ + mv helm2 helm2.bin && \ + mv helm-wrapper.sh helm && \ + ln helm helm2 && \ + chmod +x helm helm2 sops + +FROM addwrapper +# helm secrets plugin should be installed as user argocd or it won't be found +USER argocd +RUN /usr/local/bin/helm.bin plugin install https://github.com/jkroepke/helm-secrets --version ${HELM_SECRETS_VERSION} +ENV HELM_PLUGINS="/home/argocd/.local/share/helm/plugins/" diff --git a/drone.yml b/drone.yml new file mode 100644 index 0000000..39f7cbc --- /dev/null +++ b/drone.yml @@ -0,0 +1,15 @@ +- name: publish + image: plugins/docker:18 + settings: + auto_tag: true + auto_tag_suffix: linux-amd64 + dockerfile: build/package/Dockerfile + repo: imartyn/ledcontroller + username: + from_secret: docker_username + password: + from_secret: docker_password + when: + event: + - push + - tag diff --git a/helm-wrapper.sh b/helm-wrapper.sh new file mode 100644 index 0000000..2c29c65 --- /dev/null +++ b/helm-wrapper.sh @@ -0,0 +1,22 @@ +# helm secrets only supports a few helm commands +if [ $1 = "template" ] || [ $1 = "install" ] || [ $1 = "upgrade" ] || [ $1 = "lint" ] || [ $1 = "diff" ] +then + # Helm secrets add some useless outputs to every commands including template, namely + # 'remove: .dec' for every decoded secrets. + # As argocd use helm template output to compute the resources to apply, these outputs + # will cause a parsing error from argocd, so we need to remove them. + # We cannot use exec here as we need to pipe the output so we call helm in a subprocess and + # handle the return code ourselves. + out=$(helm.bin secrets $@) + code=$? + if [ $code -eq 0 ]; then + # printf insted of echo here because we really don't want any backslash character processing + printf '%s\n' "$out" | sed -E "/^removed '.+\.dec'$/d" + exit 0 + else + exit $code + fi +else + # helm.bin is the original helm binary + exec helm.bin $@ +fi