argo-cd: new multiple sources doesn't work with helm-secrets
Checklist:
- I’ve searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
- I’ve included steps to reproduce the bug.
- I’ve pasted the output of
argocd version.
Describe the bug
When using as values files in helm application with secrets, using the “secrets+age-import:///age-secret-key/keys.txt” file uri, the ref is not replaced with the file path.
To Reproduce
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: namespace-config
spec:
project: project
destination:
name: in-cluster
namespace: staging
source:
- repoURL: repo2
targetRevision: main
ref: config
- repoURL: repo # Can point to either a Helm chart repo or a git repo.
targetRevision: HEAD # For Helm, this refers to the chart version.
path: path # This has no meaning for Helm charts pulled directly from a Helm repo instead of git.
helm:
valueFiles:
- values.yaml
- $config/namespace-config/default/values.namespace.yaml
- secrets+age-import:///age-secret-key/keys.txt?$config/namespace-config/default/secrets.namespace.yaml
- $config/namespace-config/staging/values.namespace.yaml
- secrets+age-import:///age-secret-key/keys.txt?$config/namespace-config/staging/secrets.namespace.yaml
ignoreMissingValueFiles: false
syncPolicy:
automated: # automated sync by default retries failed attempts 5 times with following delays between attempts ( 5s, 10s, 20s, 40s, 80s ); retry controlled using `retry` field.
prune: true # Specifies if resources should be pruned during auto-syncing ( false by default ).
selfHeal: true # Specifies if partial app sync should be executed when resources are changed only in target Kubernetes cluster and no git change detected ( false by default ).
allowEmpty: false # Allows deleting all application resources during automatic syncing ( false by default ).
syncOptions: # Sync options which modifies sync behavior
- Validate=false # disables resource validation (equivalent to 'kubectl apply --validate=false') ( true by default ).
- CreateNamespace=true # Namespace Auto-Creation ensures that namespace specified as the application destination exists in the destination cluster.
- PrunePropagationPolicy=foreground # Supported policies are background, foreground and orphan.
- PruneLast=true # Allow the ability for resource pruning to happen as a final, implicit wave of a sync operation
# The retry feature is available since v1.7
retry:
limit: 5 # number of failed sync attempt retries; unlimited number of attempts if less than 0
backoff:
duration: 5s # the amount to back off. Default unit is seconds, but could also be a duration (e.g. "2m", "1h")
factor: 2 # a factor to multiply the base duration after each failed retry
maxDuration: 3m # the maximum amount of time allowed for the backoff strategy
# RevisionHistoryLimit limits the number of items kept in the application's revision history, which is used for
# informational purposes as well as for rollbacks to previous versions. This should only be changed in exceptional
# circumstances. Setting to zero will store no history. This will reduce storage used. Increasing will increase the
# space used to store the history, so we do not recommend increasing it.
revisionHistoryLimit: 1
Expected behavior
ArgoCD should replace $config by the directory path
Screenshots
Version
Paste the output from `argocd version` here.
2.6.0-rc1 (i have no ingress on the argocd deployment so argocd version don't work)
Logs
Paste any relevant application logs here.
About this issue
- Original URL
- State: open
- Created a year ago
- Reactions: 17
- Comments: 26 (9 by maintainers)
Based on https://github.com/argoproj/argo-cd/pull/11966#issuecomment-1386387547, unfortunately, it looks that way. As a beta feature, there may be edge cases that aren’t supported yet, and Helm Secrets happen to be a victim of that. Unless someone has time to figure out the solution and properly test it before the 2.6 release on 2023-02-06, it’ll have to wait for 2.7 around 2023-04-10 or there is “some hope for including it in a patch release”
Hi,
We want to use helm-secrets with sops backend + multi sources app. From the following documentation, we understand that the limitation lives on Argo CD side.
https://github.com/jkroepke/helm-secrets/wiki/ArgoCD-Integration#multi-source-application-support-beta
Should we wait for 2.7 release?
Whats is the issue with allow to substitute the $ref after the protocol handler
secrets//$ref/? That would be the best user expericence.It seems like that this issue can be resolved by #12508
@ishitasequeira Did you see any chance that the PR will be merged into 2.7?
As plugin maintainer, i’m open to any reachable solution.
I think that env is for helm-secrets that would by default reject an absolute path, not argo.
Meanwhile 1 week into testing argocd I already hit this limitation too, only because the substitution assumes that the string must start with $ref.
The simplest method for me would be to allow ref substitution (in helm plugin) using both a file path or an URI style reference, without touching the scheme to allow for arbitrary plugins (secrets://).
And limit the substitution to the first match after the scheme.
@MohammedNoureldin
PR #12508 is likely something that we are looking for, but its getting staled
@jkroepke Thanks for reaching out… I have reviewed the PR!! Looking for another eyes from the approvers to get it merged.
Oh sorry, it’s only in the examples, I have sources inside my real yaml file