This repository contains a simple Argo CD plugin that serves the following purposes:

• Allow multiple sources (Helm charts, plain manifests, Kustomize) to generate application resources
• Automatically decrypt SOPS encrypted files while processing
• Use standard input to pass decrypted resources. Never write decrypted files to disk unless absolutely necessary.

This plugins is largely inspired by the argocd-lovely-plugin. The only reason this plugin exists, is because I needed to integrate SOPS into the worklow in a simple and secure way, meaning no decrypted written files to disk. Also, I didn't quite need all the features that the lovely plugin provides. I do recommend that you check it out to see if it fits your needs.

The plugin scans the current directory for any subdirectories that contain YAML files. Each subdirectory it finds is considered a potential source. When the scan is completed, all the subdirectory paths are inspected and pruned to make sure that sources are not nested. A recommended structure for sources is:

app/helm-app-1        # A Helm chart to deploy app 1 (contains Chart.yaml and potentially a values.yaml)
app/helm-app-2        # A Helm chart to deploy app 2 (contains Chart.yaml and potentially a values.yaml)
app/helm-app-2/values # Additional Helm values for app 2
app/manifests         # Plain Kubernetes manifests
app/kustomize         # Kustomize files (include at least a `kustomization.yaml`)
app/secrets           # Encrypted Kubernetes manifests

For Helm and plain manifests, the plugin scans each YAML file for a top-level key called 'sops'. If it finds this key, it will automatically decrypt the file with SOPS.

For Kustomize, we recommend using the kustomize-sops generator to decrypt secrets. An example can be found in test/kustomize-with-generator.

Each source directory is checked for the existence of a Chart.yaml file. If the chart file exists, the source is treated as a Helm chart. By default, the values.yaml file in the same directory (if it exists) is loaded and automatically decrypted. Additional (encrypted) Helm values can be placed in a subdirectory called values. They will be added to the Helm command in lexicographic order, keep this in mind if you want to override values.

Each source directory is checked for the existence of a kustomization.yaml. If this file exists, the source is treated as a kustomize folder. Decryption of SOPS secret is happening implicitly in this plugin if you use a kustomize-sops generator.

You can create subdirectories with (encrypted) plain YAML manifests. These will be decrypted if necessary and fed to Kubernetes as-is.

Build the plugin and make sure that the binary is somewhere in your path. Move to the directory that you would like to test and just run the binary. For example, if your ArgoCD app lives in apps/dex then run cd apps/dex && argocd-secure-app-plugin. This should provide you with an output of resources, ready to be fed.

IMPORTANT: if you use Helm charts, you need to set the ARGOCD_APP_NAME environment variable so that Helm correctly sets the metadata on resources.

IMPORTANT: to use SOPS secrets in Kustomize, you should install the kustomize-sops plugin into ~/.config/kustomize/plugin/viaduct.ai/v1/ksops/ksops.

TODO: Create a plugin docker image and add it as an additional container to the ArgoCD depoyment.

You can develop this plugin with Go 1.18. Tests can be run with go test ./.... The format of the tests should be self-explanatory if you look at the examples in the test directory.

To let the Kustomize tests pass, you will need to install the kustomize-sops plugin into ~/.config/kustomize/plugin/viaduct.ai/v1/ksops/ksops.