Deployment Fails to Pull Image from AWS ECR Using KSOPS with Argo CD: No Basic Auth Credentials
LeoAnt02 opened this issue Β· comments
Hello,
I'm experiencing an issue with deploying a Kubernetes application using Argo CD, where the deployment fails to pull an image from AWS ECR. The error indicates a lack of basic auth credentials, despite the secret being seemingly correctly set up via KSOPS.
Not sure if this is a bug, or I'm missing something
Any idea ?
Environment:
-
Argo CD Version:
v2.10.1+a79e0ea
kustomize
v5.2.1 2023-10-19T20:13:51Z
Platform
linux/arm64
kubectl
v0.26.11 -
KSOPS Version: 4.3.1
Issue Description:
When creating the image pull secret manually via the Kubernetes CLI, everything works as expected. However, when attempting to use KSOPS to manage the secret within Argo CD, the secret pull-staging does not appear to be present or correctly applied, leading to image pull failures.
Steps to Reproduce:
- Manual Secret Creation (Works):
kubectl create secret docker-registry pull-staging \
--docker-server=$ACCOUNT_ID.dkr.ecr.us-east-2.amazonaws.com \
--docker-username=AWS \
--docker-password=$(aws ecr get-login-password) \
--namespace=staging
kubectl get secret pull-staging -n staging
# Secret is found
And argoCD pod deploy successfully
- Using KSOPS (Fail):
pull-staging.dec.yml:
looks like this
apiVersion: v1
kind: Secret
metadata:
name: pull-staging
namespace: staging
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: ******
generator.yml:
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
name: pull-staging
namespace: staging
labels:
app: web
annotations:
config.kubernetes.io/function: |
exec:
path: ksops
secretFrom:
- metadata:
name: pull-staging
namespace: staging
labels:
app: web
annotations:
kustomize.config.k8s.io/needs-hash: "false"
type: kubernetes.io/dockerconfigjson
files:
- secret/pull-staging.enc.yml
kustomization.yml:
resources:
- ../../base
namespace: staging
configMapGenerator:
- name: config
env: config.properties
generators:
- generator.yml
Deployment.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: web
spec:
replicas: 1
template:
spec:
containers:
- name: web
image: ******.dkr.ecr.us-east-2.amazonaws.com/*****:latest
imagePullSecrets:
- name: pull-staging
Error on argoCD pod :
ERROR: Failed to pull image "*****.dkr.ecr.us-east-2.amazonaws.com/*****:latest": no basic auth credentials
My argocd has been patched with this
# argo-cd-repo-server-ksops-patch.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: argocd-repo-server
spec:
template:
spec:
# 1. Define an emptyDir volume which will hold the custom binaries
volumes:
- name: custom-tools
emptyDir: {}
# 2. Use an init container to download/copy custom binaries into the emptyDir
initContainers:
- name: install-ksops
image: viaductoss/ksops:v4.3.1
command: ["/bin/sh", "-c"]
args:
- |
echo "Installing KSOPS...";
mv ksops /custom-tools/;
mv kustomize /custom-tools/;
echo "Done.";
volumeMounts:
- mountPath: /custom-tools
name: custom-tools
# 3. Volume mount the custom binary to the bin directory (overriding the existing version)
containers:
- name: argocd-repo-server
volumeMounts:
- mountPath: /usr/local/bin/kustomize
name: custom-tools
subPath: kustomize
- mountPath: /usr/local/bin/ksops
name: custom-tools
subPath: ksops
## If you use AWS or GCP KMS, don't forget to include the necessary credentials to decrypt the secrets!
env:
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: argocd-aws-credentials
key: accesskey
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: argocd-aws-credentials
key: secretkey
and config map to enable the --enable-alpha-plugins --enable-exec
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
labels:
app.kubernetes.io/name: argocd-cm
app.kubernetes.io/part-of: argocd
data:
kustomize.buildOptions: "--enable-alpha-plugins --enable-exec"
and my aws secret are present and created correctly
β― kubectl get secret argocd-aws-credentials -n argocd
NAME TYPE DATA AGE
argocd-aws-credentials Opaque 2 21h
π€
Based on the information you've provided and the context from the KSOPS repository, it seems like the issue might be related to the -enable-exec flag missing from kustomize.buildOptions in your ArgoCD configuration. This was a solution suggested in a similar issue found in the KSOPS repository: KSOPS not working with ArgoCD - no error.
To resolve this, you can add the -enable-exec flag to your kustomize.buildOptions in your ArgoCD configuration. This flag is required to enable the execution of plugins like KSOPS.
Here's an example of how to add the flag:
data:
kustomize.buildOptions: --enable-alpha-plugins --enable-execAfter adding the flag, you should be able to use KSOPS to manage your secrets within Argo CD.
Regarding the creation and management of Kubernetes secrets, specifically docker-registry secrets, with KSOPS, you would follow the same process as for any other Kubernetes secret. You can refer to the detailed step-by-step guide provided in the context above.
As for compatibility issues between KSOPS v4.3.1 and Argo CD version v2.10.1+a79e0ea, I wasn't able to find any known issues within the KSOPS repository. However, it's always a good idea to ensure you're using the latest stable versions of both tools, as this can help avoid potential compatibility issues.
If the issue persists after trying these steps, could you please provide more details about your setup? Specifically, the content of your pull-staging.dec.yml, generator.yml, kustomization.yml, and Deployment.yml files (with any sensitive information redacted), as well as the exact steps you're taking to apply the secret with KSOPS and Argo CD. This will help in further diagnosing the issue.
Sources
About Dosu
This response is meant to be useful and save you time. It is not meant to be a precise solution, but rather a starting point for your own research.
Help me be more useful! Please leave a π if this is helpful and π if it is irrelevant.
If you want to continue the conversation, start your reply with @dosu-bot.
Just edited the post above and added the enable plugins part
My argocd is able to use --enable-alpha-plugins --enable-exec without any issue
π€
It's great to hear that your ArgoCD is working well with the --enable-alpha-plugins and --enable-exec flags. If you have any questions or need further assistance with KSOPS or any other related topics, feel free to ask!
About Dosu
This response is meant to be useful and save you time. It is not meant to be a precise solution, but rather a starting point for your own research.
Help me be more useful! Please leave a π if this is helpful and π if it is irrelevant.
If you want to continue the conversation, start your reply with @dosu-bot.
Hi @LeoAnt02 the error
ERROR: Failed to pull image "*****.dkr.ecr.us-east-2.amazonaws.com/*****:latest": no basic auth credentialssuggests that the AWS_ env vars set in the repo server patch is overriding the credentials in imagePullSecrets
Hope this helps!
This is not related to the KSOPS library itself.
Hey @devstein
Thanks for taking the time on this
What would be the best solution for this ?
Im still new to k8
The naive fix is the give the Argo CD credentials permission to pull the image from ECR
Can you share the rendered deployment manifest? Maybe there are some clues based on how the patch is getting applied.
@devstein
The thing is the argocd credentials already have pull permissions, but from what I understand need to login a 2nd time with ecr specific credentials
so not sure how I can do the first fix you mentionned
Here's the argo deployment manifest after the patch
β― kubectl get deployment argocd-repo-server -n argocd -o yaml > argocd-repo-server-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "13"
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"apps/v1","kind":"Deployment","metadata":{"annotations":{},"labels":{"app.kubernetes.io/component":"repo-server","app.kubernetes.io/name":"argocd-repo-server","app.kubernetes.io/part-of":"argocd"},"name":"argocd-repo-server","namespace":"argocd"},"spec":{"selector":{"matchLabels":{"app.kubernetes.io/name":"argocd-repo-server"}},"template":{"metadata":{"labels":{"app.kubernetes.io/name":"argocd-repo-server"}},"spec":{"affinity":{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchLabels":{"app.kubernetes.io/name":"argocd-repo-server"}},"topologyKey":"kubernetes.io/hostname"},"weight":100},{"podAffinityTerm":{"labelSelector":{"matchLabels":{"app.kubernetes.io/part-of":"argocd"}},"topologyKey":"kubernetes.io/hostname"},"weight":5}]}},"automountServiceAccountToken":false,"containers":[{"args":["/usr/local/bin/argocd-repo-server"],"env":[{"name":"ARGOCD_RECONCILIATION_TIMEOUT","valueFrom":{"configMapKeyRef":{"key":"timeout.reconciliation","name":"argocd-cm","optional":true}}},{"name":"ARGOCD_REPO_SERVER_LOGFORMAT","valueFrom":{"configMapKeyRef":{"key":"reposerver.log.format","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_REPO_SERVER_LOGLEVEL","valueFrom":{"configMapKeyRef":{"key":"reposerver.log.level","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_REPO_SERVER_PARALLELISM_LIMIT","valueFrom":{"configMapKeyRef":{"key":"reposerver.parallelism.limit","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_REPO_SERVER_LISTEN_ADDRESS","valueFrom":{"configMapKeyRef":{"key":"reposerver.listen.address","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS","valueFrom":{"configMapKeyRef":{"key":"reposerver.metrics.listen.address","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_REPO_SERVER_DISABLE_TLS","valueFrom":{"configMapKeyRef":{"key":"reposerver.disable.tls","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_TLS_MIN_VERSION","valueFrom":{"configMapKeyRef":{"key":"reposerver.tls.minversion","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_TLS_MAX_VERSION","valueFrom":{"configMapKeyRef":{"key":"reposerver.tls.maxversion","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_TLS_CIPHERS","valueFrom":{"configMapKeyRef":{"key":"reposerver.tls.ciphers","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_REPO_CACHE_EXPIRATION","valueFrom":{"configMapKeyRef":{"key":"reposerver.repo.cache.expiration","name":"argocd-cmd-params-cm","optional":true}}},{"name":"REDIS_SERVER","valueFrom":{"configMapKeyRef":{"key":"redis.server","name":"argocd-cmd-params-cm","optional":true}}},{"name":"REDIS_COMPRESSION","valueFrom":{"configMapKeyRef":{"key":"redis.compression","name":"argocd-cmd-params-cm","optional":true}}},{"name":"REDISDB","valueFrom":{"configMapKeyRef":{"key":"redis.db","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_DEFAULT_CACHE_EXPIRATION","valueFrom":{"configMapKeyRef":{"key":"reposerver.default.cache.expiration","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_REPO_SERVER_OTLP_ADDRESS","valueFrom":{"configMapKeyRef":{"key":"otlp.address","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_REPO_SERVER_OTLP_INSECURE","valueFrom":{"configMapKeyRef":{"key":"otlp.insecure","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_REPO_SERVER_OTLP_HEADERS","valueFrom":{"configMapKeyRef":{"key":"otlp.headers","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE","valueFrom":{"configMapKeyRef":{"key":"reposerver.max.combined.directory.manifests.size","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS","valueFrom":{"configMapKeyRef":{"key":"reposerver.plugin.tar.exclusions","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS","valueFrom":{"configMapKeyRef":{"key":"reposerver.allow.oob.symlinks","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE","valueFrom":{"configMapKeyRef":{"key":"reposerver.streamed.manifest.max.tar.size","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE","valueFrom":{"configMapKeyRef":{"key":"reposerver.streamed.manifest.max.extracted.size","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE","valueFrom":{"configMapKeyRef":{"key":"reposerver.helm.manifest.max.extracted.size","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE","valueFrom":{"configMapKeyRef":{"key":"reposerver.disable.helm.manifest.max.extracted.size","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_GIT_MODULES_ENABLED","valueFrom":{"configMapKeyRef":{"key":"reposerver.enable.git.submodule","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_GIT_LS_REMOTE_PARALLELISM_LIMIT","valueFrom":{"configMapKeyRef":{"key":"reposerver.git.lsremote.parallelism.limit","name":"argocd-cmd-params-cm","optional":true}}},{"name":"ARGOCD_GIT_REQUEST_TIMEOUT","valueFrom":{"configMapKeyRef":{"key":"reposerver.git.request.timeout","name":"argocd-cmd-params-cm","optional":true}}},{"name":"HELM_CACHE_HOME","value":"/helm-working-dir"},{"name":"HELM_CONFIG_HOME","value":"/helm-working-dir"},{"name":"HELM_DATA_HOME","value":"/helm-working-dir"}],"image":"quay.io/argoproj/argocd:v2.10.1","imagePullPolicy":"Always","livenessProbe":{"failureThreshold":3,"httpGet":{"path":"/healthz?full=true","port":8084},"initialDelaySeconds":30,"periodSeconds":30,"timeoutSeconds":5},"name":"argocd-repo-server","ports":[{"containerPort":8081},{"containerPort":8084}],"readinessProbe":{"httpGet":{"path":"/healthz","port":8084},"initialDelaySeconds":5,"periodSeconds":10},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}},"volumeMounts":[{"mountPath":"/app/config/ssh","name":"ssh-known-hosts"},{"mountPath":"/app/config/tls","name":"tls-certs"},{"mountPath":"/app/config/gpg/source","name":"gpg-keys"},{"mountPath":"/app/config/gpg/keys","name":"gpg-keyring"},{"mountPath":"/app/config/reposerver/tls","name":"argocd-repo-server-tls"},{"mountPath":"/tmp","name":"tmp"},{"mountPath":"/helm-working-dir","name":"helm-working-dir"},{"mountPath":"/home/argocd/cmp-server/plugins","name":"plugins"}]}],"initContainers":[{"command":["/bin/cp","-n","/usr/local/bin/argocd","/var/run/argocd/argocd-cmp-server"],"image":"quay.io/argoproj/argocd:v2.10.1","name":"copyutil","securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}},"volumeMounts":[{"mountPath":"/var/run/argocd","name":"var-files"}]}],"serviceAccountName":"argocd-repo-server","volumes":[{"configMap":{"name":"argocd-ssh-known-hosts-cm"},"name":"ssh-known-hosts"},{"configMap":{"name":"argocd-tls-certs-cm"},"name":"tls-certs"},{"configMap":{"name":"argocd-gpg-keys-cm"},"name":"gpg-keys"},{"emptyDir":{},"name":"gpg-keyring"},{"emptyDir":{},"name":"tmp"},{"emptyDir":{},"name":"helm-working-dir"},{"name":"argocd-repo-server-tls","secret":{"items":[{"key":"tls.crt","path":"tls.crt"},{"key":"tls.key","path":"tls.key"},{"key":"ca.crt","path":"ca.crt"}],"optional":true,"secretName":"argocd-repo-server-tls"}},{"emptyDir":{},"name":"var-files"},{"emptyDir":{},"name":"plugins"}]}}}}
creationTimestamp: "2024-02-22T22:22:37Z"
generation: 13
labels:
app.kubernetes.io/component: repo-server
app.kubernetes.io/name: argocd-repo-server
app.kubernetes.io/part-of: argocd
name: argocd-repo-server
namespace: argocd
resourceVersion: "77150"
uid: 4e9c49c9-23ce-4d94-980a-25c21eaf3d73
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/name: argocd-repo-server
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
annotations:
kubectl.kubernetes.io/restartedAt: "2024-02-24T11:48:00-05:00"
creationTimestamp: null
labels:
app.kubernetes.io/name: argocd-repo-server
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/name: argocd-repo-server
topologyKey: kubernetes.io/hostname
weight: 100
- podAffinityTerm:
labelSelector:
matchLabels:
app.kubernetes.io/part-of: argocd
topologyKey: kubernetes.io/hostname
weight: 5
automountServiceAccountToken: false
containers:
- args:
- /usr/local/bin/argocd-repo-server
env:
- name: XDG_CONFIG_HOME
value: /.config
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
key: accesskey
name: argocd-aws-credentials
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
key: secretkey
name: argocd-aws-credentials
- name: ARGOCD_RECONCILIATION_TIMEOUT
valueFrom:
configMapKeyRef:
key: timeout.reconciliation
name: argocd-cm
optional: true
- name: ARGOCD_REPO_SERVER_LOGFORMAT
valueFrom:
configMapKeyRef:
key: reposerver.log.format
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_LOGLEVEL
valueFrom:
configMapKeyRef:
key: reposerver.log.level
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_PARALLELISM_LIMIT
valueFrom:
configMapKeyRef:
key: reposerver.parallelism.limit
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_LISTEN_ADDRESS
valueFrom:
configMapKeyRef:
key: reposerver.listen.address
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_LISTEN_METRICS_ADDRESS
valueFrom:
configMapKeyRef:
key: reposerver.metrics.listen.address
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_DISABLE_TLS
valueFrom:
configMapKeyRef:
key: reposerver.disable.tls
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_TLS_MIN_VERSION
valueFrom:
configMapKeyRef:
key: reposerver.tls.minversion
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_TLS_MAX_VERSION
valueFrom:
configMapKeyRef:
key: reposerver.tls.maxversion
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_TLS_CIPHERS
valueFrom:
configMapKeyRef:
key: reposerver.tls.ciphers
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
key: reposerver.repo.cache.expiration
name: argocd-cmd-params-cm
optional: true
- name: REDIS_SERVER
valueFrom:
configMapKeyRef:
key: redis.server
name: argocd-cmd-params-cm
optional: true
- name: REDIS_COMPRESSION
valueFrom:
configMapKeyRef:
key: redis.compression
name: argocd-cmd-params-cm
optional: true
- name: REDISDB
valueFrom:
configMapKeyRef:
key: redis.db
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_DEFAULT_CACHE_EXPIRATION
valueFrom:
configMapKeyRef:
key: reposerver.default.cache.expiration
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_OTLP_ADDRESS
valueFrom:
configMapKeyRef:
key: otlp.address
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_OTLP_INSECURE
valueFrom:
configMapKeyRef:
key: otlp.insecure
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_OTLP_HEADERS
valueFrom:
configMapKeyRef:
key: otlp.headers
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.max.combined.directory.manifests.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS
valueFrom:
configMapKeyRef:
key: reposerver.plugin.tar.exclusions
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS
valueFrom:
configMapKeyRef:
key: reposerver.allow.oob.symlinks
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.streamed.manifest.max.tar.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.streamed.manifest.max.extracted.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.helm.manifest.max.extracted.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE
valueFrom:
configMapKeyRef:
key: reposerver.disable.helm.manifest.max.extracted.size
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_GIT_MODULES_ENABLED
valueFrom:
configMapKeyRef:
key: reposerver.enable.git.submodule
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_GIT_LS_REMOTE_PARALLELISM_LIMIT
valueFrom:
configMapKeyRef:
key: reposerver.git.lsremote.parallelism.limit
name: argocd-cmd-params-cm
optional: true
- name: ARGOCD_GIT_REQUEST_TIMEOUT
valueFrom:
configMapKeyRef:
key: reposerver.git.request.timeout
name: argocd-cmd-params-cm
optional: true
- name: HELM_CACHE_HOME
value: /helm-working-dir
- name: HELM_CONFIG_HOME
value: /helm-working-dir
- name: HELM_DATA_HOME
value: /helm-working-dir
image: quay.io/argoproj/argocd:v2.10.1
imagePullPolicy: Always
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz?full=true
port: 8084
scheme: HTTP
initialDelaySeconds: 30
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5
name: argocd-repo-server
ports:
- containerPort: 8081
protocol: TCP
- containerPort: 8084
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 8084
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /usr/local/bin/kustomize
name: custom-tools
subPath: kustomize
- mountPath: /usr/local/bin/ksops
name: custom-tools
subPath: ksops
- mountPath: /.config/kustomize/plugin/goabout.com/v1beta1/sopssecretgenerator/SopsSecretGenerator
name: custom-tools
subPath: SopsSecretGenerator
- mountPath: /app/config/ssh
name: ssh-known-hosts
- mountPath: /app/config/tls
name: tls-certs
- mountPath: /app/config/gpg/source
name: gpg-keys
- mountPath: /app/config/gpg/keys
name: gpg-keyring
- mountPath: /app/config/reposerver/tls
name: argocd-repo-server-tls
- mountPath: /tmp
name: tmp
- mountPath: /helm-working-dir
name: helm-working-dir
- mountPath: /home/argocd/cmp-server/plugins
name: plugins
dnsPolicy: ClusterFirst
initContainers:
- args:
- |
echo "Installing KSOPS...";
mv ksops /custom-tools/;
mv kustomize /custom-tools/;
echo "Done.";
command:
- /bin/sh
- -c
image: viaductoss/ksops:v4.3.1
imagePullPolicy: IfNotPresent
name: install-ksops
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /custom-tools
name: custom-tools
- args:
- |
echo "Installing goabout kustomize sops...";
set -e;
set -x;
wget -O /custom-tools/SopsSecretGenerator https://github.com/goabout/kustomize-sopssecretgenerator/releases/download/v${VERSION}/SopsSecretGenerator_${VERSION}_${PLATFORM}_${ARCH};
chmod -v +x /custom-tools/SopsSecretGenerator;
set +x;
echo "Done.";
command:
- /bin/sh
- -c
env:
- name: VERSION
value: 1.6.0
- name: PLATFORM
value: darwin
- name: ARCH
value: arm64
image: alpine:3.11.3
imagePullPolicy: IfNotPresent
name: install-goaboutsops
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /custom-tools
name: custom-tools
- command:
- /bin/cp
- -n
- /usr/local/bin/argocd
- /var/run/argocd/argocd-cmp-server
image: quay.io/argoproj/argocd:v2.10.1
imagePullPolicy: IfNotPresent
name: copyutil
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/argocd
name: var-files
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: argocd-repo-server
serviceAccountName: argocd-repo-server
terminationGracePeriodSeconds: 30
volumes:
- emptyDir: {}
name: custom-tools
- configMap:
defaultMode: 420
name: argocd-ssh-known-hosts-cm
name: ssh-known-hosts
- configMap:
defaultMode: 420
name: argocd-tls-certs-cm
name: tls-certs
- configMap:
defaultMode: 420
name: argocd-gpg-keys-cm
name: gpg-keys
- emptyDir: {}
name: gpg-keyring
- emptyDir: {}
name: tmp
- emptyDir: {}
name: helm-working-dir
- name: argocd-repo-server-tls
secret:
defaultMode: 420
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
- key: ca.crt
path: ca.crt
optional: true
secretName: argocd-repo-server-tls
- emptyDir: {}
name: var-files
- emptyDir: {}
name: plugins
status:
availableReplicas: 1
conditions:
- lastTransitionTime: "2024-02-22T22:22:37Z"
lastUpdateTime: "2024-02-24T16:48:11Z"
message: ReplicaSet "argocd-repo-server-6464df6895" has successfully progressed.
reason: NewReplicaSetAvailable
status: "True"
type: Progressing
- lastTransitionTime: "2024-02-25T14:28:59Z"
lastUpdateTime: "2024-02-25T14:28:59Z"
message: Deployment has minimum availability.
reason: MinimumReplicasAvailable
status: "True"
type: Available
observedGeneration: 13
readyReplicas: 1
replicas: 1
updatedReplicas: 1