helm-secrets: Age encryption in ArgoCD is not working: the URL scheme 'secrets+age-import' is not allowed
Current Behavior
When I’m trying to add an application via ArgoCD UI or via CLI I’m getting error that “File does not exist”
Error log:
[helm-secrets] File does not exist: secrets+age-import:///helm-secrets-private-keys/key.txt?secrets.yaml\\nError: plugin \\\"secrets\\\" exited with error\",\"type\":\"ComparisonError\"}]}}" application=wordpress
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: wordpress
spec:
destination:
name: ''
namespace: wordpress
server: 'https://kubernetes.default.svc'
source:
path: xyz/example-wordpress
repoURL: '<REPO_URL>'
targetRevision: init
helm:
valueFiles:
- values.yaml
- secrets+age-import:///helm-secrets-private-keys/key.txt?secrets.yaml
project: default
project tree
example-wordpress$ tree .
.
├── Chart.yaml
├── secrets.yaml
└── values.yaml
I double-checked:
- volume with the secret is properly mounted and accessible
- executed
helm template . -f secrets+age-import:///helm-secrets-private-keys/key.txty?secrets.yamllocally in repo-server pod and it works as expected, decrypted values are correct - tried the approach with k8s secret for getting age key
Expected Behavior
When I add the application in ArgoCD with values that are encrypted using age, helm secrets should decrypt it and install app with decrypted values
Steps To Reproduce
No response
Environment
- Helm Version: 3.6.0
- Helm Secrets Version: 3.12.0
- OS: Ubuntu 21.04
- Shell: bash, version 5.1.4(1)-release
Anything else?
No response
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 27 (13 by maintainers)
@shuker85
The integration with ArgoCD is broken since v2.2.4. There is an upcoming fix https://github.com/argoproj/argo-cd/pull/8535 to resolve the issue.
If the fix is merged and released on ArgoCD side, you do not need the wrapper anymore. But any secret.yaml needs to be prefixed by
secrets://secrets.yaml. TheHELM_SECRETS_HELM_PATHisn’t need for the approch. It a leftover. I will update the documentation, if the mentioned PR is merged.No, I document it wrong.
https://github.com/argoproj/argo-helm/blob/0a5422f20a3853eb60614ec6c1028a85c330be49/charts/argo-cd/values.yaml#L1142
is correct.
@ioncoa
Sorry that you had a lot of trouble with helm-secrets. I clarify the documentation in #206.
Hi all,
ArgoCD released patches for 2.1,2.2 also released 2.3.0.
The versions including a patch to solve that issue.
I ll merge the updater docs, soon.
I create a PR to updated the current documentation. I would much appreciate it, if someone want to review it. Sometimes its not clear enough what needs to be done.
PR to review: https://github.com/jkroepke/helm-secrets/pull/191
Update documentation: https://github.com/jkroepke/helm-secrets/blob/a71d15ca83c07243aec1f081233c2dea8dd5650a/docs/ArgoCD Integration.md
Hi! My initial problem has been resolved. Unfortunately, due to many changes being done at the same time I was not able to pinpoint the solution that fixed my problem. I suppose that I wrongly mounted age key to the pod. I mounted it to argocd-server pod instead of argocd-repo-server. And it works with my wrapper and without it 😃 Some note/warn in the docs might be useful for others as well - please make sure that you mounted your private key to the repo-server pod. And also add this info about troubleshooting - https://github.com/jkroepke/helm-secrets/issues/185#issuecomment-1032625269
Yes. Set through Docker build or Kubernetes PosSpec Environment (recommended)