ArgoCD w/ SOPS leveraging AWS KMS

[jmclean-starburst]

Problem Statement

I am unable to leverage this plugin in its current state while using AWS KMS Keys and SOPS. do you know if there is support for this or am I just leveraging helm-secrets incorrectly

helm secrets version = v3.9.1

Proposed Solution

No response

Environment

• Helm Version:
• OS:
• Shell:

Additional information

No response

Acceptance Criteria

No response

[jkroepke]

Hi,

in background, helm-secrets is a wrapper around sops. helm-secrets supports all features that are supported by sops.

Checkout https://github.com/mozilla/sops#kms-aws-profiles for integrate sops and AWS KMS. Additionally you need to provide credentials that the sops is authorized to call the AWS KMS keys.

In case you are running EKS, I'm recommend using IRSA. You can also provide the environment variable AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY that holds credentials for a valid AWS IAM account.

[jmclean-starburst]

I had assumed as much....just things are a bit wonky w/ My ArgoCD referencing a sops encrypted file; one possibility is that I am forced to use the umbrella chart pattern because ArgoCD doesnt support values on a local filesystem/repo; only values within the repository containing the helm chart definition. The umbrella chart pattern allows values to be set on a local filesys/repo

More info https://argo-cd.readthedocs.io/en/stable/user-guide/helm/

Values files must be in the same git repository as the Helm chart. The files can be in a different location in which case it can be accessed using a relative path relative to the root directory of the Helm chart.

I have been hoping for this bad boy to close soon argoproj/argo-cd#6280

[jkroepke]

Checkout https://github.com/jkroepke/helm-secrets/blob/main/docs/ARGOCD.md#known-limitations for some workarounds

[jmclean-starburst]

this doesnt seem to be working; i have the below for my valuesFiles -

secrets://my-ns-w-secret/secret-name#secret-key?https://raw.githubusercontent.com/org/repo/ref/pathtofile.yml

is there a way i can debug this further? The below shows the helm plugin installed on the argocd-repo-server

argocd@argocd-repo-server-7b75c656-rbfk2:~$ helm plugin list  
NAME   	VERSION	DESCRIPTION                                                                  
secrets	3.9.1  	This plugin provides secrets values encryption for Helm charts secure storing

argocd@argocd-repo-server-7b75c656-rbfk2:~$ helm version
version.BuildInfo{Version:"v3.6.0", GitCommit:"7f2df6467771a75f5646b7f12afb408590ed1755", GitTreeState:"clean", GoVersion:"go1.16.3"}

ArgoCD version: 2.1.5

Nit: the docs has a third / on one of the markdown code references

[jkroepke]

In case you have a sops encrypted file with AWS KMS, you can use something like this.

secrets://https://raw.githubusercontent.com/org/repo/ref/pathtofile.yml

The my-ns-w-secret/secret-name#secret-key syntax is used in case you are using gpg or age encryption instead AWS KMS.

[jmclean-starburst]

so...this is going to sound weird...but this works if I clone down your repository and add the plugin via helm plugin install ./helm-secrets, but if I install the plugin via the remote git repo (helm plugin install https://github.com/jkroepke/helm-secrets), i get something like the below:

Error: failed to parse secrets://secrets.yaml: error unmarshaling JSON: while decoding JSON: json: cannot unmarshal array into Go value of type map[string]interface {}

[jkroepke]

I have no idea here, except checkout if the plugin.yaml is equal at the plugin root

[jmclean-starburst]

FWIW - I found my issue (plaguing my soul for 3 days)

I referenced a helm-secrets version of v3.9.1 in my ArgoCD Dockerfile, whereas it should have been 3.9.1. painful...however I do think through this journey, I will try to contribute so we can use a k8s secret for fetching remote repos, instead of injecting directly within the URL (similar to GPG). more to come!

[jmclean-starburst]

#168

[jkroepke]

Mention that the age support is available since 3.10.0

[Kiruthikameena]

@jmclean-starburst I am trying to use AWS KMS as well and facing some issues, could you please guide if something is wrong with the setup?

The issue is described here #394. Thanks in advance!