viaduct-ai / kustomize-sops

KSOPS - A Flexible Kustomize Plugin for SOPS Encrypted Resources

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Deployment Fails to Pull Image from AWS ECR Using KSOPS with Argo CD: No Basic Auth Credentials

LeoAnt02 opened this issue Β· comments

commented

Hello,

I'm experiencing an issue with deploying a Kubernetes application using Argo CD, where the deployment fails to pull an image from AWS ECR. The error indicates a lack of basic auth credentials, despite the secret being seemingly correctly set up via KSOPS.

Not sure if this is a bug, or I'm missing something
Any idea ?

Environment:

  • Argo CD Version:
    v2.10.1+a79e0ea
    kustomize
    v5.2.1 2023-10-19T20:13:51Z
    Platform
    linux/arm64
    kubectl
    v0.26.11

  • KSOPS Version: 4.3.1

Issue Description:

When creating the image pull secret manually via the Kubernetes CLI, everything works as expected. However, when attempting to use KSOPS to manage the secret within Argo CD, the secret pull-staging does not appear to be present or correctly applied, leading to image pull failures.

Steps to Reproduce:

  1. Manual Secret Creation (Works):
   kubectl create secret docker-registry pull-staging \                             
     --docker-server=$ACCOUNT_ID.dkr.ecr.us-east-2.amazonaws.com \
     --docker-username=AWS \
     --docker-password=$(aws ecr get-login-password) \
     --namespace=staging

   kubectl get secret pull-staging -n staging          
   # Secret is found

And argoCD pod deploy successfully

  1. Using KSOPS (Fail):

pull-staging.dec.yml:

looks like this

apiVersion: v1
kind: Secret
metadata:
    name: pull-staging
    namespace: staging
type: kubernetes.io/dockerconfigjson
data:
    .dockerconfigjson: ******

generator.yml:

     apiVersion: viaduct.ai/v1
     kind: ksops
     metadata:
       name: pull-staging
       namespace: staging
       labels:
         app: web
       annotations:
         config.kubernetes.io/function: |
           exec:
             path: ksops
     secretFrom:
     - metadata:
         name: pull-staging
         namespace: staging
         labels:
           app: web
         annotations:
           kustomize.config.k8s.io/needs-hash: "false"
       type: kubernetes.io/dockerconfigjson
       files:
       - secret/pull-staging.enc.yml

kustomization.yml:

     resources:
       - ../../base

     namespace: staging

     configMapGenerator:
       - name: config
         env: config.properties

     generators:
       - generator.yml

Deployment.yml

     apiVersion: apps/v1
     kind: Deployment
     metadata:
       name: web
     spec:
       replicas: 1
       template:
         spec:
           containers:
           - name: web
             image: ******.dkr.ecr.us-east-2.amazonaws.com/*****:latest
           imagePullSecrets:
           - name: pull-staging

Error on argoCD pod :

ERROR: Failed to pull image "*****.dkr.ecr.us-east-2.amazonaws.com/*****:latest": no basic auth credentials

My argocd has been patched with this

# argo-cd-repo-server-ksops-patch.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: argocd-repo-server
spec:
  template:
    spec:
      # 1. Define an emptyDir volume which will hold the custom binaries
      volumes:
        - name: custom-tools
          emptyDir: {}
      # 2. Use an init container to download/copy custom binaries into the emptyDir
      initContainers:
        - name: install-ksops
          image: viaductoss/ksops:v4.3.1
          command: ["/bin/sh", "-c"]
          args:
            - |
              echo "Installing KSOPS...";
              mv ksops /custom-tools/;
              mv kustomize /custom-tools/;
              echo "Done.";
          volumeMounts:
            - mountPath: /custom-tools
              name: custom-tools
      # 3. Volume mount the custom binary to the bin directory (overriding the existing version)
      containers:
        - name: argocd-repo-server
          volumeMounts:
            - mountPath: /usr/local/bin/kustomize
              name: custom-tools
              subPath: kustomize
            - mountPath: /usr/local/bin/ksops
              name: custom-tools
              subPath: ksops
        ## If you use AWS or GCP KMS, don't forget to include the necessary credentials to decrypt the secrets!
          env:
            - name: AWS_ACCESS_KEY_ID
              valueFrom:
                secretKeyRef:
                  name: argocd-aws-credentials
                  key: accesskey
            - name: AWS_SECRET_ACCESS_KEY
              valueFrom:
                secretKeyRef:
                  name: argocd-aws-credentials
                  key: secretkey

and config map to enable the --enable-alpha-plugins --enable-exec

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  labels:
    app.kubernetes.io/name: argocd-cm
    app.kubernetes.io/part-of: argocd
data:
  kustomize.buildOptions: "--enable-alpha-plugins --enable-exec"

and my aws secret are present and created correctly

❯ kubectl get secret argocd-aws-credentials -n argocd 
NAME                     TYPE     DATA   AGE
argocd-aws-credentials   Opaque   2      21h

πŸ€–

Based on the information you've provided and the context from the KSOPS repository, it seems like the issue might be related to the -enable-exec flag missing from kustomize.buildOptions in your ArgoCD configuration. This was a solution suggested in a similar issue found in the KSOPS repository: KSOPS not working with ArgoCD - no error.

To resolve this, you can add the -enable-exec flag to your kustomize.buildOptions in your ArgoCD configuration. This flag is required to enable the execution of plugins like KSOPS.

Here's an example of how to add the flag:

data:
  kustomize.buildOptions: --enable-alpha-plugins --enable-exec

After adding the flag, you should be able to use KSOPS to manage your secrets within Argo CD.

Regarding the creation and management of Kubernetes secrets, specifically docker-registry secrets, with KSOPS, you would follow the same process as for any other Kubernetes secret. You can refer to the detailed step-by-step guide provided in the context above.

As for compatibility issues between KSOPS v4.3.1 and Argo CD version v2.10.1+a79e0ea, I wasn't able to find any known issues within the KSOPS repository. However, it's always a good idea to ensure you're using the latest stable versions of both tools, as this can help avoid potential compatibility issues.

If the issue persists after trying these steps, could you please provide more details about your setup? Specifically, the content of your pull-staging.dec.yml, generator.yml, kustomization.yml, and Deployment.yml files (with any sensitive information redacted), as well as the exact steps you're taking to apply the secret with KSOPS and Argo CD. This will help in further diagnosing the issue.

Sources

About Dosu

This response is meant to be useful and save you time. It is not meant to be a precise solution, but rather a starting point for your own research.

Help me be more useful! Please leave a πŸ‘ if this is helpful and πŸ‘Ž if it is irrelevant.

If you want to continue the conversation, start your reply with @dosu-bot.

commented

@dosu-bot

Just edited the post above and added the enable plugins part
My argocd is able to use --enable-alpha-plugins --enable-exec without any issue

πŸ€–

It's great to hear that your ArgoCD is working well with the --enable-alpha-plugins and --enable-exec flags. If you have any questions or need further assistance with KSOPS or any other related topics, feel free to ask!

About Dosu

This response is meant to be useful and save you time. It is not meant to be a precise solution, but rather a starting point for your own research.

Help me be more useful! Please leave a πŸ‘ if this is helpful and πŸ‘Ž if it is irrelevant.

If you want to continue the conversation, start your reply with @dosu-bot.

Hi @LeoAnt02 the error

    ERROR: Failed to pull image "*****.dkr.ecr.us-east-2.amazonaws.com/*****:latest": no basic auth credentials

suggests that the AWS_ env vars set in the repo server patch is overriding the credentials in imagePullSecrets

Hope this helps!

This is not related to the KSOPS library itself.

commented

Hey @devstein

Thanks for taking the time on this

What would be the best solution for this ?

Im still new to k8

The naive fix is the give the Argo CD credentials permission to pull the image from ECR

Can you share the rendered deployment manifest? Maybe there are some clues based on how the patch is getting applied.

commented

@devstein
The thing is the argocd credentials already have pull permissions, but from what I understand need to login a 2nd time with ecr specific credentials

so not sure how I can do the first fix you mentionned

Here's the argo deployment manifest after the patch

❯ kubectl get deployment argocd-repo-server -n argocd -o yaml > argocd-repo-server-deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    deployment.kubernetes.io/revision: "13"
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{},"labels":{"app.kubernetes.io/component":"repo-server","app.kubernetes.io/name":"argocd-repo-server","app.kubernetes.io/part-of":"argocd"},"name":"argocd-repo-server","namespace":"argocd"},"spec":{"selector":{"matchLabels":{"app.kubernetes.io/name":"argocd-repo-server"}},"template":{"metadata":{"labels":{"app.kubernetes.io/name":"argocd-repo-server"}},"spec":{"affinity":{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchLabels":{"app.kubernetes.io/name":"argocd-repo-server"}},"topologyKey":"kubernetes.io/hostname"},"weight":100},{"podAffinityTerm":{"labelSelector":{"matchLabels":{"app.kubernetes.io/part-of":"argocd"}},"topologyKey":"kubernetes.io/hostname"},"weight":5}]}},"automountServiceAccountToken":false,"containers":[{"args":["/usr/local/bin/argocd-repo-server"],"env":[{"name":"ARGOCD_RECONCILIATION_TIMEOUT","valueFrom":{"configMapKeyRef":{"key":"timeout.reconciliation","name":"argocd-cm","optional":true}}},{"name":"ARGOCD_REPO_SERVER_LOGFORMAT","valueFrom":{"configMapKeyRef":{"key":"reposerver.log.format","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_REPO_SERVER_LOGLEVEL","valueFrom":{"configMapKeyRef":{"key":"reposerver.log.level","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_REPO_SERVER_PARALLELISM_LIMIT","valueFrom":{"configMapKeyRef":{"key":"reposerver.parallelism.limit","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_REPO_SERVER_LISTEN_ADDRESS","valueFrom":{"configMapKeyRef":{"key":"reposerver.listen.address","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS","valueFrom":{"configMapKeyRef":{"key":"reposerver.metrics.listen.address","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_REPO_SERVER_DISABLE_TLS","valueFrom":{"configMapKeyRef":{"key":"reposerver.disable.tls","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_TLS_MIN_VERSION","valueFrom":{"configMapKeyRef":{"key":"reposerver.tls.minversion","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_TLS_MAX_VERSION","valueFrom":{"configMapKeyRef":{"key":"reposerver.tls.maxversion","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_TLS_CIPHERS","valueFrom":{"configMapKeyRef":{"key":"reposerver.tls.ciphers","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_REPO_CACHE_EXPIRATION","valueFrom":{"configMapKeyRef":{"key":"reposerver.repo.cache.expiration","name":"argocd-cmd-params-cm","optional":true}}},{"name":"REDIS_SERVER","valueFrom":{"configMapKeyRef":{"key":"redis.server","name":"argocd-cmd-params-cm","optional":true}}},{"name":"REDIS_COMPRESSION","valueFrom":{"configMapKeyRef":{"key":"redis.compression","name":"argocd-cmd-params-cm","optional":true}}},{"name":"REDISDB","valueFrom":{"configMapKeyRef":{"key":"redis.db","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_DEFAULT_CACHE_EXPIRATION","valueFrom":{"configMapKeyRef":{"key":"reposerver.default.cache.expiration","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_REPO_SERVER_OTLP_ADDRESS","valueFrom":{"configMapKeyRef":{"key":"otlp.address","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_REPO_SERVER_OTLP_INSECURE","valueFrom":{"configMapKeyRef":{"key":"otlp.insecure","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_REPO_SERVER_OTLP_HEADERS","valueFrom":{"configMapKeyRef":{"key":"otlp.headers","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE","valueFrom":{"configMapKeyRef":{"key":"reposerver.max.combined.directory.manifests.size","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS","valueFrom":{"configMapKeyRef":{"key":"reposerver.plugin.tar.exclusions","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS","valueFrom":{"configMapKeyRef":{"key":"reposerver.allow.oob.symlinks","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE","valueFrom":{"configMapKeyRef":{"key":"reposerver.streamed.manifest.max.tar.size","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE","valueFrom":{"configMapKeyRef":{"key":"reposerver.streamed.manifest.max.extracted.size","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE","valueFrom":{"configMapKeyRef":{"key":"reposerver.helm.manifest.max.extracted.size","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE","valueFrom":{"configMapKeyRef":{"key":"reposerver.disable.helm.manifest.max.extracted.size","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_GIT_MODULES_ENABLED","valueFrom":{"configMapKeyRef":{"key":"reposerver.enable.git.submodule","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_GIT_LS_REMOTE_PARALLELISM_LIMIT","valueFrom":{"configMapKeyRef":{"key":"reposerver.git.lsremote.parallelism.limit","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_GIT_REQUEST_TIMEOUT","valueFrom":{"configMapKeyRef":{"key":"reposerver.git.request.timeout","name":"argocd-cmd-params-cm","optional":true}}},{"name":"HELM_CACHE_HOME","value":"/helm-working-dir"},{"name":"HELM_CONFIG_HOME","value":"/helm-working-dir"},{"name":"HELM_DATA_HOME","value":"/helm-working-dir"}],"image":"quay.io/argoproj/argocd:v2.10.1","imagePullPolicy":"Always","livenessProbe":{"failureThreshold":3,"httpGet":{"path":"/healthz?full=true","port":8084},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"name":"argocd-repo-server","ports":[{"containerPort":8081},{"containerPort":8084}],"readinessProbe":{"httpGet":{"path":"/healthz","port":8084},"initialDelaySeconds":5,"periodSeconds":10},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}},"volumeMounts":[{"mountPath":"/app/config/ssh","name":"ssh-known-hosts"},{"mountPath":"/app/config/tls","name":"tls-certs"},{"mountPath":"/app/config/gpg/source","name":"gpg-keys"},{"mountPath":"/app/config/gpg/keys","name":"gpg-keyring"},{"mountPath":"/app/config/reposerver/tls","name":"argocd-repo-server-tls"},{"mountPath":"/tmp","name":"tmp"},{"mountPath":"/helm-working-dir","name":"helm-working-dir"},{"mountPath":"/home/argocd/cmp-server/plugins","name":"plugins"}]}],"initContainers":[{"command":["/bin/cp","-n","/usr/local/bin/argocd","/var/run/argocd/argocd-cmp-server"],"image":"quay.io/argoproj/argocd:v2.10.1","name":"copyutil","securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}},"volumeMounts":[{"mountPath":"/var/run/argocd","name":"var-files"}]}],"serviceAccountName":"argocd-repo-server","volumes":[{"configMap":{"name":"argocd-ssh-known-hosts-cm"},"name":"ssh-known-hosts"},{"configMap":{"name":"argocd-tls-certs-cm"},"name":"tls-certs"},{"configMap":{"name":"argocd-gpg-keys-cm"},"name":"gpg-keys"},{"emptyDir":{},"name":"gpg-keyring"},{"emptyDir":{},"name":"tmp"},{"emptyDir":{},"name":"helm-working-dir"},{"name":"argocd-repo-server-tls","secret":{"items":[{"key":"tls.crt","path":"tls.crt"},{"key":"tls.key","path":"tls.key"},{"key":"ca.crt","path":"ca.crt"}],"optional":true,"secretName":"argocd-repo-server-tls"}},{"emptyDir":{},"name":"var-files"},{"emptyDir":{},"name":"plugins"}]}}}}
  creationTimestamp: "2024-02-22T22:22:37Z"
  generation: 13
  labels:
    app.kubernetes.io/component: repo-server
    app.kubernetes.io/name: argocd-repo-server
    app.kubernetes.io/part-of: argocd
  name: argocd-repo-server
  namespace: argocd
  resourceVersion: "77150"
  uid: 4e9c49c9-23ce-4d94-980a-25c21eaf3d73
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app.kubernetes.io/name: argocd-repo-server
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      annotations:
        kubectl.kubernetes.io/restartedAt: "2024-02-24T11:48:00-05:00"
      creationTimestamp: null
      labels:
        app.kubernetes.io/name: argocd-repo-server
    spec:
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - podAffinityTerm:
              labelSelector:
                matchLabels:
                  app.kubernetes.io/name: argocd-repo-server
              topologyKey: kubernetes.io/hostname
            weight: 100
          - podAffinityTerm:
              labelSelector:
                matchLabels:
                  app.kubernetes.io/part-of: argocd
              topologyKey: kubernetes.io/hostname
            weight: 5
      automountServiceAccountToken: false
      containers:
      - args:
        - /usr/local/bin/argocd-repo-server
        env:
        - name: XDG_CONFIG_HOME
          value: /.config
        - name: AWS_ACCESS_KEY_ID
          valueFrom:
            secretKeyRef:
              key: accesskey
              name: argocd-aws-credentials
        - name: AWS_SECRET_ACCESS_KEY
          valueFrom:
            secretKeyRef:
              key: secretkey
              name: argocd-aws-credentials
        - name: ARGOCD_RECONCILIATION_TIMEOUT
          valueFrom:
            configMapKeyRef:
              key: timeout.reconciliation
              name: argocd-cm
              optional: true
        - name: ARGOCD_REPO_SERVER_LOGFORMAT
          valueFrom:
            configMapKeyRef:
              key: reposerver.log.format
              name: argocd-cmd-params-cm
              optional: true
        - name: ARGOCD_REPO_SERVER_LOGLEVEL
          valueFrom:
            configMapKeyRef:
              key: reposerver.log.level
              name: argocd-cmd-params-cm
              optional: true
        - name: ARGOCD_REPO_SERVER_PARALLELISM_LIMIT
          valueFrom:
            configMapKeyRef:
              key: reposerver.parallelism.limit
              name: argocd-cmd-params-cm
              optional: true
        - name: ARGOCD_REPO_SERVER_LISTEN_ADDRESS
          valueFrom:
            configMapKeyRef:
              key: reposerver.listen.address
              name: argocd-cmd-params-cm
              optional: true
        - name: ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS
          valueFrom:
            configMapKeyRef:
              key: reposerver.metrics.listen.address
              name: argocd-cmd-params-cm
              optional: true
        - name: ARGOCD_REPO_SERVER_DISABLE_TLS
          valueFrom:
            configMapKeyRef:
              key: reposerver.disable.tls
              name: argocd-cmd-params-cm
              optional: true
        - name: ARGOCD_TLS_MIN_VERSION
          valueFrom:
            configMapKeyRef:
              key: reposerver.tls.minversion
              name: argocd-cmd-params-cm
              optional: true
        - name: ARGOCD_TLS_MAX_VERSION
          valueFrom:
            configMapKeyRef:
              key: reposerver.tls.maxversion
              name: argocd-cmd-params-cm
              optional: true
        - name: ARGOCD_TLS_CIPHERS
          valueFrom:
            configMapKeyRef:
              key: reposerver.tls.ciphers
              name: argocd-cmd-params-cm
              optional: true
        - name: ARGOCD_REPO_CACHE_EXPIRATION
          valueFrom:
            configMapKeyRef:
              key: reposerver.repo.cache.expiration
              name: argocd-cmd-params-cm
              optional: true
        - name: REDIS_SERVER
          valueFrom:
            configMapKeyRef:
              key: redis.server
              name: argocd-cmd-params-cm
              optional: true
        - name: REDIS_COMPRESSION
          valueFrom:
            configMapKeyRef:
              key: redis.compression
              name: argocd-cmd-params-cm
              optional: true
        - name: REDISDB
          valueFrom:
            configMapKeyRef:
              key: redis.db
              name: argocd-cmd-params-cm
              optional: true
        - name: ARGOCD_DEFAULT_CACHE_EXPIRATION
          valueFrom:
            configMapKeyRef:
              key: reposerver.default.cache.expiration
              name: argocd-cmd-params-cm
              optional: true
        - name: ARGOCD_REPO_SERVER_OTLP_ADDRESS
          valueFrom:
            configMapKeyRef:
              key: otlp.address
              name: argocd-cmd-params-cm
              optional: true
        - name: ARGOCD_REPO_SERVER_OTLP_INSECURE
          valueFrom:
            configMapKeyRef:
              key: otlp.insecure
              name: argocd-cmd-params-cm
              optional: true
        - name: ARGOCD_REPO_SERVER_OTLP_HEADERS
          valueFrom:
            configMapKeyRef:
              key: otlp.headers
              name: argocd-cmd-params-cm
              optional: true
        - name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE
          valueFrom:
            configMapKeyRef:
              key: reposerver.max.combined.directory.manifests.size
              name: argocd-cmd-params-cm
              optional: true
        - name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS
          valueFrom:
            configMapKeyRef:
              key: reposerver.plugin.tar.exclusions
              name: argocd-cmd-params-cm
              optional: true
        - name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS
          valueFrom:
            configMapKeyRef:
              key: reposerver.allow.oob.symlinks
              name: argocd-cmd-params-cm
              optional: true
        - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE
          valueFrom:
            configMapKeyRef:
              key: reposerver.streamed.manifest.max.tar.size
              name: argocd-cmd-params-cm
              optional: true
        - name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE
          valueFrom:
            configMapKeyRef:
              key: reposerver.streamed.manifest.max.extracted.size
              name: argocd-cmd-params-cm
              optional: true
        - name: ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE
          valueFrom:
            configMapKeyRef:
              key: reposerver.helm.manifest.max.extracted.size
              name: argocd-cmd-params-cm
              optional: true
        - name: ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE
          valueFrom:
            configMapKeyRef:
              key: reposerver.disable.helm.manifest.max.extracted.size
              name: argocd-cmd-params-cm
              optional: true
        - name: ARGOCD_GIT_MODULES_ENABLED
          valueFrom:
            configMapKeyRef:
              key: reposerver.enable.git.submodule
              name: argocd-cmd-params-cm
              optional: true
        - name: ARGOCD_GIT_LS_REMOTE_PARALLELISM_LIMIT
          valueFrom:
            configMapKeyRef:
              key: reposerver.git.lsremote.parallelism.limit
              name: argocd-cmd-params-cm
              optional: true
        - name: ARGOCD_GIT_REQUEST_TIMEOUT
          valueFrom:
            configMapKeyRef:
              key: reposerver.git.request.timeout
              name: argocd-cmd-params-cm
              optional: true
        - name: HELM_CACHE_HOME
          value: /helm-working-dir
        - name: HELM_CONFIG_HOME
          value: /helm-working-dir
        - name: HELM_DATA_HOME
          value: /helm-working-dir
        image: quay.io/argoproj/argocd:v2.10.1
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /healthz?full=true
            port: 8084
            scheme: HTTP
          initialDelaySeconds: 30
          periodSeconds: 30
          successThreshold: 1
          timeoutSeconds: 5
        name: argocd-repo-server
        ports:
        - containerPort: 8081
          protocol: TCP
        - containerPort: 8084
          protocol: TCP
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /healthz
            port: 8084
            scheme: HTTP
          initialDelaySeconds: 5
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        resources: {}
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          seccompProfile:
            type: RuntimeDefault
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /usr/local/bin/kustomize
          name: custom-tools
          subPath: kustomize
        - mountPath: /usr/local/bin/ksops
          name: custom-tools
          subPath: ksops
        - mountPath: /.config/kustomize/plugin/goabout.com/v1beta1/sopssecretgenerator/SopsSecretGenerator
          name: custom-tools
          subPath: SopsSecretGenerator
        - mountPath: /app/config/ssh
          name: ssh-known-hosts
        - mountPath: /app/config/tls
          name: tls-certs
        - mountPath: /app/config/gpg/source
          name: gpg-keys
        - mountPath: /app/config/gpg/keys
          name: gpg-keyring
        - mountPath: /app/config/reposerver/tls
          name: argocd-repo-server-tls
        - mountPath: /tmp
          name: tmp
        - mountPath: /helm-working-dir
          name: helm-working-dir
        - mountPath: /home/argocd/cmp-server/plugins
          name: plugins
      dnsPolicy: ClusterFirst
      initContainers:
      - args:
        - |
          echo "Installing KSOPS...";
          mv ksops /custom-tools/;
          mv kustomize /custom-tools/;
          echo "Done.";
        command:
        - /bin/sh
        - -c
        image: viaductoss/ksops:v4.3.1
        imagePullPolicy: IfNotPresent
        name: install-ksops
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /custom-tools
          name: custom-tools
      - args:
        - |
          echo "Installing goabout kustomize sops...";
          set -e;
          set -x;
          wget -O /custom-tools/SopsSecretGenerator https://github.com/goabout/kustomize-sopssecretgenerator/releases/download/v${VERSION}/SopsSecretGenerator_${VERSION}_${PLATFORM}_${ARCH};
          chmod -v +x /custom-tools/SopsSecretGenerator;
          set +x;
          echo "Done.";
        command:
        - /bin/sh
        - -c
        env:
        - name: VERSION
          value: 1.6.0
        - name: PLATFORM
          value: darwin
        - name: ARCH
          value: arm64
        image: alpine:3.11.3
        imagePullPolicy: IfNotPresent
        name: install-goaboutsops
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /custom-tools
          name: custom-tools
      - command:
        - /bin/cp
        - -n
        - /usr/local/bin/argocd
        - /var/run/argocd/argocd-cmp-server
        image: quay.io/argoproj/argocd:v2.10.1
        imagePullPolicy: IfNotPresent
        name: copyutil
        resources: {}
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          seccompProfile:
            type: RuntimeDefault
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /var/run/argocd
          name: var-files
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: argocd-repo-server
      serviceAccountName: argocd-repo-server
      terminationGracePeriodSeconds: 30
      volumes:
      - emptyDir: {}
        name: custom-tools
      - configMap:
          defaultMode: 420
          name: argocd-ssh-known-hosts-cm
        name: ssh-known-hosts
      - configMap:
          defaultMode: 420
          name: argocd-tls-certs-cm
        name: tls-certs
      - configMap:
          defaultMode: 420
          name: argocd-gpg-keys-cm
        name: gpg-keys
      - emptyDir: {}
        name: gpg-keyring
      - emptyDir: {}
        name: tmp
      - emptyDir: {}
        name: helm-working-dir
      - name: argocd-repo-server-tls
        secret:
          defaultMode: 420
          items:
          - key: tls.crt
            path: tls.crt
          - key: tls.key
            path: tls.key
          - key: ca.crt
            path: ca.crt
          optional: true
          secretName: argocd-repo-server-tls
      - emptyDir: {}
        name: var-files
      - emptyDir: {}
        name: plugins
status:
  availableReplicas: 1
  conditions:
  - lastTransitionTime: "2024-02-22T22:22:37Z"
    lastUpdateTime: "2024-02-24T16:48:11Z"
    message: ReplicaSet "argocd-repo-server-6464df6895" has successfully progressed.
    reason: NewReplicaSetAvailable
    status: "True"
    type: Progressing
  - lastTransitionTime: "2024-02-25T14:28:59Z"
    lastUpdateTime: "2024-02-25T14:28:59Z"
    message: Deployment has minimum availability.
    reason: MinimumReplicasAvailable
    status: "True"
    type: Available
  observedGeneration: 13
  readyReplicas: 1
  replicas: 1
  updatedReplicas: 1